Callback Phishing via Zoom comment

calendar Feb 11, 2026  ·
Share on: linkedin copy

Detects callback scams sent through legitimate Zoom infrastructure that impersonate well-known brands like McAfee, Norton, or PayPal. These messages contain purchase or support-related language along with phone numbers, attempting to trick recipients into calling fraudulent support lines.

Sublime rule (View on GitHub)

 1name: "Callback Phishing via Zoom comment"
 2description: "Detects callback scams sent through legitimate Zoom infrastructure that impersonate well-known brands like McAfee, Norton, or PayPal. These messages contain purchase or support-related language along with phone numbers, attempting to trick recipients into calling fraudulent support lines."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  
 9  // Legitimate Zoom sending infratructure
10  and sender.email.domain.root_domain == 'zoom.us'
11  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12  
13  // Zoom Logo
14  and any(ml.logo_detect(file.message_screenshot()).brands, .name == "Zoom")
15  
16  // Callback Phishing
17  and regex.icontains(body.current_thread.text,
18                      (
19                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
20                      )
21  )
22  and (
23    3 of (
24      strings.ilike(body.current_thread.text, '*purchase*'),
25      strings.ilike(body.current_thread.text, '*payment*'),
26      strings.ilike(body.current_thread.text, '*transaction*'),
27      strings.ilike(body.current_thread.text, '*subscription*'),
28      strings.ilike(body.current_thread.text, '*antivirus*'),
29      strings.ilike(body.current_thread.text, '*order*'),
30      strings.ilike(body.current_thread.text, '*support*'),
31      strings.ilike(body.current_thread.text, '*help line*'),
32      strings.ilike(body.current_thread.text, '*receipt*'),
33      strings.ilike(body.current_thread.text, '*invoice*'),
34      strings.ilike(body.current_thread.text, '*call*'),
35      strings.ilike(body.current_thread.text, '*cancel*'),
36      strings.ilike(body.current_thread.text, '*renew*'),
37      strings.ilike(body.current_thread.text, '*refund*'),
38      strings.ilike(body.current_thread.text, '*host key*')
39    )
40    or any(ml.nlu_classifier(body.current_thread.text).intents,
41           .name == "callback_scam" and .confidence != "low"
42    )
43  )
44  // phone number regex
45  and any([body.current_thread.text, subject.subject],
46          regex.icontains(.,
47                          '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
48                          '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
49          )
50  )
51  // negation for legitimate AI generated meeting summaries from Zoom
52  and not (
53    (
54      sender.display_name == "Meeting Summary with AI Companion"
55      and sender.email.email == "no-reply@zoom.us"
56      and headers.auth_summary.dmarc.pass
57    )
58    or (
59      strings.icontains(subject.subject, "Meeting assets")
60      and strings.icontains(body.current_thread.text, "Meeting summary")
61      and sender.email.email == "no-reply@zoom.us"
62      and headers.auth_summary.dmarc.pass
63    )
64  )  
65
66attack_types:
67  - "Callback Phishing"
68tactics_and_techniques:
69  - "Out of band pivot"
70  - "Social engineering"
71  - "Impersonation: Brand"
72detection_methods:
73  - "Computer Vision"
74  - "Content analysis"
75  - "Header analysis"
76  - "Sender analysis"
77id: "8ec30881-ef03-5490-af8d-8a2b9c0e6142"
to-top