Service abuse: Zoom with newly registered reply-to domain

calendar May 4, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages from legitimate Zoom infrastructure (no-reply@zoom.us) that contain a reply-to address with a domain registered within the last 45 days, indicating potential abuse of Zoom's service for malicious purposes.

Sublime rule (View on GitHub)

 1name: "Service abuse: Zoom with newly registered reply-to domain"
 2description: "Detects messages from legitimate Zoom infrastructure (no-reply@zoom.us) that contain a reply-to address with a domain registered within the last 45 days, indicating potential abuse of Zoom's service for malicious purposes."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // Legitimate zoom sending infrastructure
 8  and sender.email.email == "no-reply@zoom.us"
 9  // newly registered reply-to domain
10  and network.whois(headers.reply_to[0].email.domain).days_old < 45  
11tags:
12  - "Attack surface reduction"
13attack_types:
14  - "Spam"
15tactics_and_techniques:
16  - "Social engineering"
17  - "Evasion"
18detection_methods:
19  - "Sender analysis"
20  - "Header analysis"
21  - "Whois"
22id: "93115dd9-5b26-5bc7-9f79-d6e5fae96fd9"

Related rules

to-top