Brand impersonation: Zoom (strict)

Aug 4, 2024 ·

Impersonation of the video conferencing provider Zoom. This "strict" version of this rule will only flag when the sender's display name matches those used by Zoom exactly.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Zoom (strict)"
 2description: |
 3  Impersonation of the video conferencing provider Zoom. This "strict" version of this rule 
 4  will only flag when the sender's display name matches those used by Zoom exactly.  
 5references:
 6  - "https://www.theverge.com/2020/5/12/21254921/hacker-domains-impersonating-zoom-microsoft-teams-google-meet-phishing-covid-19"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and (
12    sender.display_name =~ 'zoom'
13    or sender.display_name =~ 'zoom video communications, inc.'
14    or sender.display_name =~ 'zoom call'
15  )
16  and sender.email.domain.root_domain not in (
17    'zoom.us',
18    'zuora.com',
19    'zoomgov.com',
20    'zoom.com'
21  )
22  and (
23    // if this comes from a free email provider,
24    // flag if org has never sent an email to sender's email before
25    (
26      sender.email.domain.root_domain in $free_email_providers
27      and not profile.by_sender().solicited
28    )
29    // if this comes from a custom domain,
30    // flag if org has never sent an email to sender's domain before
31    or (
32      sender.email.domain.root_domain not in $free_email_providers
33      and not profile.by_sender().solicited
34    )
35  )  
36
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "Impersonation: Brand"
41  - "Social engineering"
42detection_methods:
43  - "Sender analysis"
44id: "00f3d94f-7ed2-5dde-a48d-fb5fcbc20cd2"