Fake Zoho Sign template abuse

Sep 30, 2024 ·

This rule captures credential phishing attempts abusing the Zoho Sign template. The rule looks for artifacts of the Hijacked Zoho link and other template constructs.

Sublime rule (View on GitHub)

 1name: "Fake Zoho Sign template abuse"
 2description: "This rule captures credential phishing attempts abusing the Zoho Sign template. The rule looks for artifacts of the Hijacked Zoho link and other template constructs."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  and 0 < length(body.links) < 10
 9  // Link contains Start Signing
10  and any(body.links, .display_text == "Start Signing")
11  
12  // Zoho artifact in html body
13  and regex.contains(body.html.raw,
14                     'title="Original URL: https:\/\/sign\.zoho\.com\/zsguest\?[^"]*action_type=SIGN\.[^"]*Click or tap if you trust this link\."'
15  )
16  // but the Zoho link is not active
17  and not any(body.links, .href_url.domain.root_domain == "zoho.com")
18  
19  // and the body thread contains the Sender + recipient domain
20  and any(recipients.to,
21          strings.icontains(body.current_thread.text,
22                            strings.concat("Sender\n", .email.domain.domain)
23          )
24  )  
25
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Evasion"
30  - "Open redirect"
31  - "Social engineering"
32detection_methods:
33  - "Content analysis"
34  - "HTML analysis"
35  - "URL analysis"
36id: "785fd0d5-87ef-5f0e-ad35-ecd4f2388fc0"