← Back to Explore
sublimemediumRule
Fake Zoho Sign template abuse
This rule captures credential phishing attempts abusing the Zoho Sign template. The rule looks for artifacts of the Hijacked Zoho link and other template constructs.
Detection Query
type.inbound
and 0 < length(body.links) < 10
// Link contains Start Signing
and any(body.links, .display_text == "Start Signing")
// Zoho artifact in html body
and regex.contains(body.html.raw,
'title="Original URL: https:\/\/sign\.zoho\.com\/zsguest\?[^"]*action_type=SIGN\.[^"]*Click or tap if you trust this link\."'
)
// but the Zoho link is not active
and not any(body.links, .href_url.domain.root_domain == "zoho.com")
// and the body thread contains the Sender + recipient domain
and any(recipients.to,
strings.icontains(body.current_thread.text,
strings.concat("Sender\n", .email.domain.domain)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Fake Zoho Sign template abuse"
description: "This rule captures credential phishing attempts abusing the Zoho Sign template. The rule looks for artifacts of the Hijacked Zoho link and other template constructs."
type: "rule"
severity: "medium"
source: |
type.inbound
and 0 < length(body.links) < 10
// Link contains Start Signing
and any(body.links, .display_text == "Start Signing")
// Zoho artifact in html body
and regex.contains(body.html.raw,
'title="Original URL: https:\/\/sign\.zoho\.com\/zsguest\?[^"]*action_type=SIGN\.[^"]*Click or tap if you trust this link\."'
)
// but the Zoho link is not active
and not any(body.links, .href_url.domain.root_domain == "zoho.com")
// and the body thread contains the Sender + recipient domain
and any(recipients.to,
strings.icontains(body.current_thread.text,
strings.concat("Sender\n", .email.domain.domain)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Open redirect"
- "Social engineering"
detection_methods:
- "Content analysis"
- "HTML analysis"
- "URL analysis"
id: "785fd0d5-87ef-5f0e-ad35-ecd4f2388fc0"