Service Abuse: Zoom with freemail reply-to and recipient address in greeting

calendar May 6, 2026  ·
Share on: linkedin copy

Detects messages impersonating Zoom that use a freemail provider for the reply-to address, have a new and unsolicited reply-to profile, and contain the recipient's email address in the greeting line where a name would normally appear.

Sublime rule (View on GitHub)

 1name: "Service Abuse: Zoom with freemail reply-to and recipient address in greeting"
 2description: "Detects messages impersonating Zoom that use a freemail provider for the reply-to address, have a new and unsolicited reply-to profile, and contain the recipient's email address in the greeting line where a name would normally appear."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // is from zoom
 8  and sender.email.email == "no-reply@zoom.us"
 9  // has a freemail for a reply-to address
10  and headers.reply_to[0].email.domain.domain in $free_email_providers
11  // the reply-to address is new 
12  and beta.profile.by_reply_to().prevalence == "new"
13  and not beta.profile.by_reply_to().solicited
14  // the "greeting" line contains an email address matching the recipient's email root domain
15  // this is normally a name
16  and any(regex.iextract(body.current_thread.text,
17                         '^\S+\s+(?P<last_word>\S+?),?(?:\n|\z)'
18          ),
19          strings.parse_email(.named_groups["last_word"]).domain.root_domain == recipients.to[0].email.domain.root_domain
20  )  
21attack_types:
22  - "Spam"
23tactics_and_techniques:
24  - "Free email provider"
25  - "Social engineering"
26detection_methods:
27  - "Sender analysis"
28  - "Header analysis"
29  - "Content analysis"
30id: "d582b240-8126-540f-8934-d9914780cebb"
to-top