Fake Zoom meeting invite with suspicious link

calendar Dec 1, 2025  ·
Share on: linkedin copy

Detects messages impersonating Zoom meetings that contain suspicious links not hosted on legitimate Zoom domains, with recipients hidden as 'Undisclosed recipients' or missing entirely. The rule identifies Zoom-related language while excluding legitimate Zoom communications and meeting summaries.

Sublime rule (View on GitHub)

 1name: "Fake Zoom meeting invite with suspicious link"
 2description: "Detects messages impersonating Zoom meetings that contain suspicious links not hosted on legitimate Zoom domains, with recipients hidden as 'Undisclosed recipients' or missing entirely. The rule identifies Zoom-related language while excluding legitimate Zoom communications and meeting summaries."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.previous_threads) == 0
 8  and length(ml.nlu_classifier(body.current_thread.text).topics) == 1
 9  and all(ml.nlu_classifier(body.current_thread.text).topics,
10          .name in ("Events and Webinars", "Software and App Updates")
11          and .confidence != "low"
12  )
13  
14  // Zoom meeting language
15  and strings.ilike(body.current_thread.text,
16                    "*zoom meeting*",
17                    "*meeting ID*",
18                    "*participants*"
19  )
20  
21  // suspicious recipients pattern
22  and (
23    any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
24    or length(recipients.to) == 0
25  )
26  
27  // suspicious link
28  and not any(body.links,
29              .href_url.domain.root_domain in (
30                "zoom.us",
31                "zoom.com",
32                "emailprotection.link"
33              )
34              and any(.href_url.query_params_decoded['pwd'], . is not null)
35  )
36  and (
37    any(body.links,
38        .href_url.domain.tld in $suspicious_tlds
39        // country code second-level domain
40        or strings.istarts_with(.href_url.domain.tld, "com.")
41        or (
42          (
43            length(ml.link_analysis(.).files_downloaded) > 0
44            // Zoom logo on page
45            or ml.link_analysis(.).credphish.brand.name == "Zoom"
46            // blocked by a Cloudflare CAPTCHA
47            or strings.icontains(ml.link_analysis(.).final_dom.raw,
48                                 'https://challenges.cloudflare.com/turnstile/',
49            )
50          )
51          and ml.link_analysis(.).effective_url.domain.root_domain not in (
52            "zoom.us",
53            "zoom.com"
54          )
55        )
56    )
57  )
58  
59  // negate auto-generated meeting summaries 
60  and not (
61    strings.icontains(body.current_thread.text, "meeting summary")
62    and strings.icontains(body.current_thread.text,
63                          "AI-generated content may be inaccurate or misleading."
64    )
65  )
66  and not (
67    subject.is_reply
68    or subject.is_forward
69    and (
70      length(headers.references) > 0
71      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
72    )
73  )
74  // Not from a legitimate Zoom domain
75  and not (
76    sender.email.domain.root_domain in (
77      "zoom.us",
78      "zuora.com",
79      "zoomgov.com",
80      "zoom.com",
81      "zoom-x.de"
82    )
83    and headers.auth_summary.dmarc.pass
84  )  
85
86attack_types:
87  - "Credential Phishing"
88tactics_and_techniques:
89  - "Impersonation: Brand"
90  - "Evasion"
91  - "Social engineering"
92detection_methods:
93  - "Content analysis"
94  - "Header analysis"
95  - "Natural Language Understanding"
96  - "Sender analysis"
97  - "URL analysis"
98id: "aba95f23-b8d5-5764-9729-d2db50464760"
to-top