Brand impersonation: Zoom (strict)

Impersonation of the video conferencing provider Zoom. This "strict" version of this rule will only flag when the sender's display name matches those used by Zoom exactly.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Zoom (strict)"
 2description: |
 3  Impersonation of the video conferencing provider Zoom. This "strict" version of this rule 
 4  will only flag when the sender's display name matches those used by Zoom exactly.  
 5references:
 6  - "https://www.theverge.com/2020/5/12/21254921/hacker-domains-impersonating-zoom-microsoft-teams-google-meet-phishing-covid-19"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and (
12    sender.display_name =~ 'zoom'
13    or sender.display_name =~ 'zoom video communications, inc.'
14    or sender.display_name =~ 'zoom call'
15  )
16  and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com','zoomgov.com')
17  and (
18    // if this comes from a free email provider,
19    // flag if org has never sent an email to sender's email before
20    (
21      sender.email.domain.root_domain in $free_email_providers
22      and sender.email.email not in $recipient_emails
23    )
24    // if this comes from a custom domain,
25    // flag if org has never sent an email to sender's domain before
26    or (
27      sender.email.domain.root_domain not in $free_email_providers
28      and sender.email.domain.domain not in $recipient_domains
29    )
30  )  
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Impersonation: Brand"
35  - "Social engineering"
36detection_methods:
37  - "Sender analysis"
38id: "00f3d94f-7ed2-5dde-a48d-fb5fcbc20cd2"
to-top