EXPLORE
Sign In
← Back to Explore
sublimelowRule

Service abuse: Suspicious Zoom Docs link

Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
initial-accessdefense-evasion

Detection Query

type.inbound
and sender.email.domain.root_domain == "zoom.us"
and strings.ends_with(sender.display_name, "Zoom Docs")
and (
  any(html.xpath(body.html, '//h2').nodes,
      // extract the sender email out of the message body
      any(regex.iextract(.display_text,
                         '^(?P<sender_display_name>[^\(]+)\((?P<sender_email>[^\)]+@(?P<sender_domain>[^\)]+))\)'
          ),
          .named_groups["sender_domain"] not in $org_domains
          and .named_groups["sender_email"] not in $recipient_emails
          and .named_groups["sender_email"] not in $sender_emails
          and not (
            .named_groups["sender_domain"] not in $free_email_providers
            and .named_groups["sender_domain"] in $recipient_domains
            and .named_groups["sender_domain"] in $sender_domains
          )
      )
  )
  or any(body.links,
         .href_url.domain.domain == "docs.zoom.us"
         and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                        .href_url.domain.root_domain != 'zoom.us'
                        and .href_url.domain.domain != 'zoom.us'
                 ),
                 (
                   // any of those links domains are new
                   network.whois(.href_url.domain).days_old < 30
                   // go to free file hosts
                   or .href_url.domain.root_domain in $free_file_hosts
                   or .href_url.domain.domain in $free_file_hosts

                   // go to free subdomains hosts
                   or (
                     .href_url.domain.root_domain in $free_subdomain_hosts
                     // where there is a subdomain
                     and .href_url.domain.subdomain is not null
                     and .href_url.domain.subdomain != "www"
                   )
                   // go to url shortners
                   or .href_url.domain.root_domain in $url_shorteners
                   or .href_url.domain.domain in $url_shorteners
                   or (
                     // find any links that mention common "action" words
                     regex.icontains(.display_text,
                                     '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
                     )
                   )
                 )
         )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Service abuse: Suspicious Zoom Docs link"
description: "Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators."
type: "rule"
severity: "low"
source: |
  type.inbound
  and sender.email.domain.root_domain == "zoom.us"
  and strings.ends_with(sender.display_name, "Zoom Docs")
  and (
    any(html.xpath(body.html, '//h2').nodes,
        // extract the sender email out of the message body
        any(regex.iextract(.display_text,
                           '^(?P<sender_display_name>[^\(]+)\((?P<sender_email>[^\)]+@(?P<sender_domain>[^\)]+))\)'
            ),
            .named_groups["sender_domain"] not in $org_domains
            and .named_groups["sender_email"] not in $recipient_emails
            and .named_groups["sender_email"] not in $sender_emails
            and not (
              .named_groups["sender_domain"] not in $free_email_providers
              and .named_groups["sender_domain"] in $recipient_domains
              and .named_groups["sender_domain"] in $sender_domains
            )
        )
    )
    or any(body.links,
           .href_url.domain.domain == "docs.zoom.us"
           and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                          .href_url.domain.root_domain != 'zoom.us'
                          and .href_url.domain.domain != 'zoom.us'
                   ),
                   (
                     // any of those links domains are new
                     network.whois(.href_url.domain).days_old < 30
                     // go to free file hosts
                     or .href_url.domain.root_domain in $free_file_hosts
                     or .href_url.domain.domain in $free_file_hosts
  
                     // go to free subdomains hosts
                     or (
                       .href_url.domain.root_domain in $free_subdomain_hosts
                       // where there is a subdomain
                       and .href_url.domain.subdomain is not null
                       and .href_url.domain.subdomain != "www"
                     )
                     // go to url shortners
                     or .href_url.domain.root_domain in $url_shorteners
                     or .href_url.domain.domain in $url_shorteners
                     or (
                       // find any links that mention common "action" words
                       regex.icontains(.display_text,
                                       '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
                       )
                     )
                   )
           )
    )
  )
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Free file host"
  - "Evasion"
detection_methods:
  - "HTML analysis"
  - "Sender analysis"
  - "Header analysis"
id: "064b2594-d24d-5857-8571-43ff2e8267c9"