Callback Phishing via Zoom comment

Detects callback scams sent through legitimate Zoom infrastructure that impersonate well-known brands like McAfee, Norton, or PayPal. These messages contain purchase or support-related language along with phone numbers, attempting to trick recipients into calling fraudulent support lines.

Sublime rule (View on GitHub)

 1name: "Callback Phishing via Zoom comment"
 2description: "Detects callback scams sent through legitimate Zoom infrastructure that impersonate well-known brands like McAfee, Norton, or PayPal. These messages contain purchase or support-related language along with phone numbers, attempting to trick recipients into calling fraudulent support lines."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  
 9  // Legitimate Zoom sending infratructure
10  and sender.email.domain.root_domain == 'zoom.us'
11  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12  
13  // Zoom Logo 
14  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Zoom")
15  
16  // Callback Phishing
17  and regex.icontains(body.current_thread.text,
18                      (
19                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
20                      )
21  )
22  and 3 of (
23    strings.ilike(body.current_thread.text, '*purchase*'),
24    strings.ilike(body.current_thread.text, '*payment*'),
25    strings.ilike(body.current_thread.text, '*transaction*'),
26    strings.ilike(body.current_thread.text, '*subscription*'),
27    strings.ilike(body.current_thread.text, '*antivirus*'),
28    strings.ilike(body.current_thread.text, '*order*'),
29    strings.ilike(body.current_thread.text, '*support*'),
30    strings.ilike(body.current_thread.text, '*help line*'),
31    strings.ilike(body.current_thread.text, '*receipt*'),
32    strings.ilike(body.current_thread.text, '*invoice*'),
33    strings.ilike(body.current_thread.text, '*call*'),
34    strings.ilike(body.current_thread.text, '*cancel*'),
35    strings.ilike(body.current_thread.text, '*renew*'),
36    strings.ilike(body.current_thread.text, '*refund*')
37  )
38  // phone number regex
39  and any([body.current_thread.text, subject.subject],
40          regex.icontains(.,
41                          '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
42                          '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
43          )
44  )
45  // negation for legitimate AI generated meeting summaries from Zoom 
46  and not (
47    (
48      sender.display_name == "Meeting Summary with AI Companion"
49      and sender.email.email == "no-reply@zoom.us"
50      and headers.auth_summary.dmarc.pass
51    )
52    or (
53      strings.icontains(subject.subject, "Meeting assets")
54      and strings.icontains(body.current_thread.text, "Meeting summary")
55      and sender.email.email == "no-reply@zoom.us"
56      and headers.auth_summary.dmarc.pass
57    )
58  )  
59
60attack_types:
61  - "Callback Phishing"
62tactics_and_techniques:
63  - "Out of band pivot"
64  - "Social engineering"
65  - "Impersonation: Brand"
66detection_methods:
67  - "Computer Vision"
68  - "Content analysis"
69  - "Header analysis"
70  - "Sender analysis"
71id: "8ec30881-ef03-5490-af8d-8a2b9c0e6142"
to-top