Zoom Events newsletter abuse

Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites.

Sublime rule (View on GitHub)

 1name: "Zoom Events newsletter abuse"
 2description: "Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites."
 3type: "rule"
 4severity: "medium"
 5references:
 6  - "https://blog.reconinfosec.com/zoom-events-phishing"
 7source: |
 8  type.inbound
 9  and sender.email.email == "noreply-zoomevents@zoom.us"
10  and (
11    headers.auth_summary.spf.pass
12    or headers.auth_summary.dmarc.pass
13  )
14  
15  // extract the actor controlled message from the email body
16  and any(html.xpath(body.html,
17                     "//div[@class='eb-content css-1l7xmti']//td[@data-dynamic-style-background-color='email.bodyColor.color' and @style='border-radius: 8px; background-color: rgb(255, 255, 255);']"
18          ).nodes,
19          // look at the content before the copyright footer in the template and pass it to NLU to see if it's cred theft 
20          any(html.xpath(.,
21                         "//td[@data-dynamic-style-background-color='email.bodyColor.color']/*[position() < last()]"
22              ).nodes,
23              any(ml.nlu_classifier(..display_text).intents,
24                  .name == "cred_theft" and .confidence != "low"
25              )
26          )
27  )  
28
29attack_types:
30  - "Credential Phishing"
31tactics_and_techniques:
32  - "Free file host"
33  - "Free subdomain host"
34  - "Social engineering"
35  - "Impersonation: Brand"
36detection_methods:
37  - "Header analysis"
38  - "HTML analysis"
39  - "Natural Language Understanding"
40  - "URL analysis"
41id: "c8fce846-4745-597d-a90c-4c788dcb402a"
to-top