← Back to Explore
sublimemediumRule
Link: Direct link to Zoom Docs from non-Zoom sender
Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization
Detection Query
type.inbound
// contains a link to zoom docs
and any(body.links, .href_url.domain.domain == "docs.zoom.us")
// is the only link to zoom
and length(filter(body.links, .href_url.domain.root_domain == "zoom.us")) == 1
// not from zoom.us
and not (
sender.email.domain.root_domain == "zoom.us"
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Direct link to Zoom Docs from non-Zoom sender"
description: "Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization "
type: "rule"
severity: "medium"
source: |
type.inbound
// contains a link to zoom docs
and any(body.links, .href_url.domain.domain == "docs.zoom.us")
// is the only link to zoom
and length(filter(body.links, .href_url.domain.root_domain == "zoom.us")) == 1
// not from zoom.us
and not (
sender.email.domain.root_domain == "zoom.us"
and headers.auth_summary.dmarc.pass
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
- "Impersonation: Brand"
detection_methods:
- "Header analysis"
- "URL analysis"
- "Sender analysis"
id: "5c6362db-62e0-56c9-b988-ad17a2738a47"