sublimemediumRule

Fake Zoom meeting invite with suspicious link

Detects messages impersonating Zoom meetings that contain suspicious links not hosted on legitimate Zoom domains, with recipients hidden as 'Undisclosed recipients' or missing entirely. The rule identifies Zoom-related language while excluding legitimate Zoom communications and meeting summaries.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1598.003 T1036 T1027

initial-accessdefense-evasion

Detection Query

type.inbound
and length(body.previous_threads) == 0
and length(ml.nlu_classifier(body.current_thread.text).topics) == 1
and all(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Events and Webinars", "Software and App Updates")
        and .confidence != "low"
)

// Zoom meeting language
and strings.ilike(body.current_thread.text,
                  "*zoom meeting*",
                  "*meeting ID*",
                  "*participants*"
)

// suspicious recipients pattern
and (
  any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
  or length(recipients.to) == 0
)

// suspicious link
and not any(body.links,
            .href_url.domain.root_domain in (
              "zoom.us",
              "zoom.com",
              "emailprotection.link"
            )
            and any(.href_url.query_params_decoded['pwd'], . is not null)
)
and (
  any(body.links,
      .href_url.domain.tld in $suspicious_tlds
      // country code second-level domain
      or strings.istarts_with(.href_url.domain.tld, "com.")
      or (
        (
          length(ml.link_analysis(.).files_downloaded) > 0
          // Zoom logo on page
          or ml.link_analysis(.).credphish.brand.name == "Zoom"
          // blocked by a Cloudflare CAPTCHA
          or strings.icontains(ml.link_analysis(.).final_dom.raw,
                               'https://challenges.cloudflare.com/turnstile/',
          )
        )
        and ml.link_analysis(.).effective_url.domain.root_domain not in (
          "zoom.us",
          "zoom.com"
        )
      )
  )
)

// negate auto-generated meeting summaries 
and not (
  strings.icontains(body.current_thread.text, "meeting summary")
  and strings.icontains(body.current_thread.text,
                        "AI-generated content may be inaccurate or misleading."
  )
)
and not (
  subject.is_reply
  or subject.is_forward
  and (
    length(headers.references) > 0
    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
)
// Not from a legitimate Zoom domain
and not (
  sender.email.domain.root_domain in (
    "zoom.us",
    "zuora.com",
    "zoomgov.com",
    "zoom.com",
    "zoom-x.de"
  )
  and headers.auth_summary.dmarc.pass
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Fake Zoom meeting invite with suspicious link"
description: "Detects messages impersonating Zoom meetings that contain suspicious links not hosted on legitimate Zoom domains, with recipients hidden as 'Undisclosed recipients' or missing entirely. The rule identifies Zoom-related language while excluding legitimate Zoom communications and meeting summaries."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(body.previous_threads) == 0
  and length(ml.nlu_classifier(body.current_thread.text).topics) == 1
  and all(ml.nlu_classifier(body.current_thread.text).topics,
          .name in ("Events and Webinars", "Software and App Updates")
          and .confidence != "low"
  )
  
  // Zoom meeting language
  and strings.ilike(body.current_thread.text,
                    "*zoom meeting*",
                    "*meeting ID*",
                    "*participants*"
  )
  
  // suspicious recipients pattern
  and (
    any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
    or length(recipients.to) == 0
  )
  
  // suspicious link
  and not any(body.links,
              .href_url.domain.root_domain in (
                "zoom.us",
                "zoom.com",
                "emailprotection.link"
              )
              and any(.href_url.query_params_decoded['pwd'], . is not null)
  )
  and (
    any(body.links,
        .href_url.domain.tld in $suspicious_tlds
        // country code second-level domain
        or strings.istarts_with(.href_url.domain.tld, "com.")
        or (
          (
            length(ml.link_analysis(.).files_downloaded) > 0
            // Zoom logo on page
            or ml.link_analysis(.).credphish.brand.name == "Zoom"
            // blocked by a Cloudflare CAPTCHA
            or strings.icontains(ml.link_analysis(.).final_dom.raw,
                                 'https://challenges.cloudflare.com/turnstile/',
            )
          )
          and ml.link_analysis(.).effective_url.domain.root_domain not in (
            "zoom.us",
            "zoom.com"
          )
        )
    )
  )
  
  // negate auto-generated meeting summaries 
  and not (
    strings.icontains(body.current_thread.text, "meeting summary")
    and strings.icontains(body.current_thread.text,
                          "AI-generated content may be inaccurate or misleading."
    )
  )
  and not (
    subject.is_reply
    or subject.is_forward
    and (
      length(headers.references) > 0
      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
    )
  )
  // Not from a legitimate Zoom domain
  and not (
    sender.email.domain.root_domain in (
      "zoom.us",
      "zuora.com",
      "zoomgov.com",
      "zoom.com",
      "zoom-x.de"
    )
    and headers.auth_summary.dmarc.pass
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
  - "URL analysis"
id: "aba95f23-b8d5-5764-9729-d2db50464760"