Zoom Events newsletter abuse
Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites.
Sublime rule (View on GitHub)
1name: "Zoom Events newsletter abuse"
2description: "Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites."
3type: "rule"
4severity: "medium"
5references:
6 - "https://blog.reconinfosec.com/zoom-events-phishing"
7source: |
8 type.inbound
9 and sender.email.email == "noreply-zoomevents@zoom.us"
10 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
11
12 // extract the actor controlled content from the email body (excluding the
13 // static Zoom copyright/unsubscribe footer) and pass it to NLU
14 and any(html.xpath(body.html,
15 "//div[@class='eb-content css-1l7xmti']//td[@data-dynamic-style-background-color='email.bodyColor.color' and contains(@style, 'background-color: rgb(255, 255, 255)')]/*[not(.//*[contains(text(), 'Copyright') or contains(text(), 'unsubscribe')])]"
16 ).nodes,
17 any(ml.nlu_classifier(.display_text).intents,
18 .name == "cred_theft" and .confidence != "low"
19 )
20 )
21attack_types:
22 - "Credential Phishing"
23tactics_and_techniques:
24 - "Free file host"
25 - "Free subdomain host"
26 - "Social engineering"
27 - "Impersonation: Brand"
28detection_methods:
29 - "Header analysis"
30 - "HTML analysis"
31 - "Natural Language Understanding"
32 - "URL analysis"
33id: "c8fce846-4745-597d-a90c-4c788dcb402a"