Brand impersonation: Zoom (strict)

name: "Brand impersonation: Zoom (strict)"
description: |
  Impersonation of the video conferencing provider Zoom. This "strict" version of this rule 
  will only flag when the sender's display name matches those used by Zoom exactly.
references:
  - "https://www.theverge.com/2020/5/12/21254921/hacker-domains-impersonating-zoom-microsoft-teams-google-meet-phishing-covid-19"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    sender.display_name =~ 'zoom'
    or sender.display_name =~ 'zoom video communications, inc.'
    or sender.display_name =~ 'zoom call'
  )
  and sender.email.domain.root_domain not in (
    'zoom.us',
    'zuora.com',
    'zoomgov.com',
    'zoom.com'
  )
  and (
    // if this comes from a free email provider,
    // flag if org has never sent an email to sender's email before
    (
      sender.email.domain.root_domain in $free_email_providers
      and not profile.by_sender().solicited
    )
    // if this comes from a custom domain,
    // flag if org has never sent an email to sender's domain before
    or (
      sender.email.domain.root_domain not in $free_email_providers
      and not profile.by_sender().solicited
    )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
id: "00f3d94f-7ed2-5dde-a48d-fb5fcbc20cd2"