Zoom Events newsletter abuse

 1name: "Zoom Events newsletter abuse"
 2description: "Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites."
 3type: "rule"
 4severity: "medium"
 5references:
 6  - "https://blog.reconinfosec.com/zoom-events-phishing"
 7source: |
 8  type.inbound
 9  and sender.email.email == "noreply-zoomevents@zoom.us"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  
13  // extract the actor controlled message from the email body
14  and any(html.xpath(body.html,
15                     "//div[@class='eb-content css-1l7xmti']//td[@data-dynamic-style-background-color='email.bodyColor.color' and @style='border-radius: 8px; background-color: rgb(255, 255, 255);']"
16          ).nodes,
17          any(regex.extract(.display_text, '(?P<body_text>[\s\S]*?)Visit the'),
18              any(ml.nlu_classifier(.named_groups['body_text']).intents,
19                  .name == "cred_theft" and .confidence != "low"
20              )
21          )
22  )
23  
24  and (
25    any(body.links,
26        .href_url.domain.root_domain in $free_file_hosts
27        or .href_url.domain.root_domain in $free_subdomain_hosts
28        or any(body.links, .href_url.domain.domain == "docs.zoom.us")
29    )
30  )  
31
32attack_types:
33  - "Credential Phishing"
34tactics_and_techniques:
35  - "Free file host"
36  - "Free subdomain host"
37  - "Social engineering"
38  - "Impersonation: Brand"
39detection_methods:
40  - "Header analysis"
41  - "HTML analysis"
42  - "Natural Language Understanding"
43  - "URL analysis"
44id: "c8fce846-4745-597d-a90c-4c788dcb402a"