Skip to content

Create brand_impersonation_zoom.yml #2688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Create brand_impersonation_zoom.yml #2688

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
030e6a0
Create brand_impersonation_zoom.yml
aidenmitchell May 8, 2025
76b5c5c
Auto add rule ID
May 8, 2025
41a57d4
Update brand_impersonation_zoom.yml
aidenmitchell May 9, 2025
cb542f7
Update brand_impersonation_zoom.yml
aidenmitchell May 9, 2025
225cc66
Update brand_impersonation_zoom.yml
aidenmitchell May 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions detection-rules/brand_impersonation_zoom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
name: "Brand Impersonation: Zoom"
description: "Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
// the social links in the footer
3 of (
any(body.links, strings.icontains(.href_url.url, "twitter.com/zoom")),
any(body.links,
strings.icontains(.href_url.url,
"linkedin.com/company/zoom-video-communications"
)
),
any(body.links, strings.icontains(.href_url.url, "blog.zoom.us")),
strings.ilike(body.html.raw,
'*https://go.pardot.com/l/84442/*/*/84442/*/twitter.png*'
),
strings.ilike(body.html.raw,
'*https://go.pardot.com/l/84442/*/*/84442/*/linkedin.png*'
),
strings.ilike(body.html.raw,
'*https://go.pardot.com/l/84442/*/*/84442/*/zoomblog.png*'
)
)
or (
length(beta.ml_topic(body.html.display_text).topics) == 1
and all(beta.ml_topic(body.html.display_text).topics,
.name == "Events and Webinars" and .confidence != "low"
)
and any(ml.logo_detect(beta.message_screenshot()).brands,
.name == "Zoom" and .confidence == "high"
)
and any(body.links,
any(ml.nlu_classifier(.display_text).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
or (
any(body.links,
// link claims to go to a Zoom domain, but does not
(
.display_url.domain.root_domain in ("zoom.us", "zoom.com")
or strings.icontains(.display_text, "zoom.us")
or strings.icontains(.display_text, "zoom.com")
)
and .href_url.domain.root_domain not in ("zoom.us", "zoom.com")
and (
.href_url.domain.tld in $suspicious_tlds
// country code second-level domain
or strings.istarts_with(.href_url.domain.tld, "com.")
or (
(
length(ml.link_analysis(.).files_downloaded) > 0
// Zoom logo on page
or ml.link_analysis(.).credphish.brand.name == "Zoom"
// blocked by a Cloudflare CAPTCHA
or strings.icontains(ml.link_analysis(.).final_dom.raw,
'https://challenges.cloudflare.com/turnstile/',
)
)
and ml.link_analysis(.).effective_url.domain.root_domain not in (
"zoom.us",
"zoom.com"
)
)
)
)
)
)

and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
or regex.imatch(subject.subject,
'^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
)
)
and (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
)

// Not from a legitimate Zoom domain
and not (
sender.email.domain.root_domain in (
"zoom.us",
"zuora.com",
"zoomgov.com",
"zoom.com"
)
and headers.auth_summary.dmarc.pass
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
- "Evasion"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "HTML analysis"
- "Natural Language Understanding"
- "URL analysis"
id: "5abad540-8e6c-5c82-9f8e-a59009915b63"
Loading