Zoom Events newsletter abuse

 1name: "Zoom Events newsletter abuse"
 2description: "Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites."
 3type: "rule"
 4severity: "medium"
 5references:
 6  - "https://blog.reconinfosec.com/zoom-events-phishing"
 7source: |
 8  type.inbound
 9  and sender.email.email == "noreply-zoomevents@zoom.us"
10  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
11  
12  // extract the actor controlled message from the email body
13  and any(html.xpath(body.html,
14                     "//div[@class='eb-content css-1l7xmti']//td[@data-dynamic-style-background-color='email.bodyColor.color' and @style='border-radius: 8px; background-color: rgb(255, 255, 255);']"
15          ).nodes,
16          // look at the content before the copyright footer in the template and pass it to NLU to see if it's cred theft 
17          any(html.xpath(.,
18                         "//td[@data-dynamic-style-background-color='email.bodyColor.color']/*[position() < last()]"
19              ).nodes,
20              any(ml.nlu_classifier(..display_text).intents,
21                  .name == "cred_theft" and .confidence != "low"
22              )
23          )
24  )  
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Free file host"
29  - "Free subdomain host"
30  - "Social engineering"
31  - "Impersonation: Brand"
32detection_methods:
33  - "Header analysis"
34  - "HTML analysis"
35  - "Natural Language Understanding"
36  - "URL analysis"
37id: "c8fce846-4745-597d-a90c-4c788dcb402a"