Callback Phishing via Zoom comment
Detects callback scams sent through legitimate Zoom infrastructure that impersonate well-known brands like McAfee, Norton, or PayPal. These messages contain purchase or support-related language along with phone numbers, attempting to trick recipients into calling fraudulent support lines.
Sublime rule (View on GitHub)
1name: "Callback Phishing via Zoom comment"
2description: "Detects callback scams sent through legitimate Zoom infrastructure that impersonate well-known brands like McAfee, Norton, or PayPal. These messages contain purchase or support-related language along with phone numbers, attempting to trick recipients into calling fraudulent support lines."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 0
8
9 // Legitimate Zoom sending infratructure
10 and sender.email.domain.root_domain == 'zoom.us'
11 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12
13 // Zoom Logo
14 and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Zoom")
15
16 // Callback Phishing
17 and regex.icontains(body.current_thread.text,
18 (
19 "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
20 )
21 )
22 and 3 of (
23 strings.ilike(body.current_thread.text, '*purchase*'),
24 strings.ilike(body.current_thread.text, '*payment*'),
25 strings.ilike(body.current_thread.text, '*transaction*'),
26 strings.ilike(body.current_thread.text, '*subscription*'),
27 strings.ilike(body.current_thread.text, '*antivirus*'),
28 strings.ilike(body.current_thread.text, '*order*'),
29 strings.ilike(body.current_thread.text, '*support*'),
30 strings.ilike(body.current_thread.text, '*help line*'),
31 strings.ilike(body.current_thread.text, '*receipt*'),
32 strings.ilike(body.current_thread.text, '*invoice*'),
33 strings.ilike(body.current_thread.text, '*call*'),
34 strings.ilike(body.current_thread.text, '*cancel*'),
35 strings.ilike(body.current_thread.text, '*renew*'),
36 strings.ilike(body.current_thread.text, '*refund*')
37 )
38 // phone number regex
39 and any([body.current_thread.text, subject.subject],
40 regex.icontains(.,
41 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
42 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
43 )
44 )
45 // negation for legitimate AI generated meeting summaries from Zoom
46 and not (
47 (
48 sender.display_name == "Meeting Summary with AI Companion"
49 and sender.email.email == "no-reply@zoom.us"
50 and headers.auth_summary.dmarc.pass
51 )
52 or (
53 strings.icontains(subject.subject, "Meeting assets")
54 and strings.icontains(body.current_thread.text, "Meeting summary")
55 and sender.email.email == "no-reply@zoom.us"
56 and headers.auth_summary.dmarc.pass
57 )
58 )
59
60attack_types:
61 - "Callback Phishing"
62tactics_and_techniques:
63 - "Out of band pivot"
64 - "Social engineering"
65 - "Impersonation: Brand"
66detection_methods:
67 - "Computer Vision"
68 - "Content analysis"
69 - "Header analysis"
70 - "Sender analysis"
71id: "8ec30881-ef03-5490-af8d-8a2b9c0e6142"