Zoom Events newsletter abuse

Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites.

Sublime rule (View on GitHub)

 1name: "Zoom Events newsletter abuse"
 2description: "Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites."
 3type: "rule"
 4severity: "medium"
 5references:
 6  - "https://blog.reconinfosec.com/zoom-events-phishing"
 7source: |
 8  type.inbound
 9  and sender.email.email == "noreply-zoomevents@zoom.us"
10  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
11  
12  // extract the actor controlled content from the email body (excluding the
13  // static Zoom copyright/unsubscribe footer) and pass it to NLU
14  and any(html.xpath(body.html,
15                     "//div[@class='eb-content css-1l7xmti']//td[@data-dynamic-style-background-color='email.bodyColor.color' and contains(@style, 'background-color: rgb(255, 255, 255)')]/*[not(.//*[contains(text(), 'Copyright') or contains(text(), 'unsubscribe')])]"
16          ).nodes,
17          any(ml.nlu_classifier(.display_text).intents,
18              .name == "cred_theft" and .confidence != "low"
19          )
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Free file host"
25  - "Free subdomain host"
26  - "Social engineering"
27  - "Impersonation: Brand"
28detection_methods:
29  - "Header analysis"
30  - "HTML analysis"
31  - "Natural Language Understanding"
32  - "URL analysis"
33id: "c8fce846-4745-597d-a90c-4c788dcb402a"
to-top