Link: Direct link to Zoom Docs from Non-Zoom Sender

calendar May 22, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization

Sublime rule (View on GitHub)

 1name: "Link: Direct link to Zoom Docs from Non-Zoom Sender"
 2description: "Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization "
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // contains a link to zoom docs
 8  and any(body.links, .href_url.domain.domain == "docs.zoom.us")
 9  // is the only link to zoom
10  and length(filter(body.links, .href_url.domain.root_domain == "zoom.us")) == 1
11  // not from zoom.us
12  and not (
13    sender.email.domain.root_domain == "zoom.us"
14    and headers.auth_summary.dmarc.pass
15  )  
16tags:
17  - "Attack surface reduction"
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Social engineering"
22  - "Impersonation: Brand"
23detection_methods:
24  - "Header analysis"
25  - "URL analysis"
26  - "Sender analysis"
27id: "5c6362db-62e0-56c9-b988-ad17a2738a47"

Related rules

to-top