sublimemediumRule

Zoom Events newsletter abuse

Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1598.003

initial-access

Detection Query

type.inbound
and sender.email.email == "noreply-zoomevents@zoom.us"
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)

// extract the actor controlled message from the email body
and any(html.xpath(body.html,
                   "//div[@class='eb-content css-1l7xmti']//td[@data-dynamic-style-background-color='email.bodyColor.color' and @style='border-radius: 8px; background-color: rgb(255, 255, 255);']"
        ).nodes,
        // look at the content before the copyright footer in the template and pass it to NLU to see if it's cred theft 
        any(html.xpath(.,
                       "//td[@data-dynamic-style-background-color='email.bodyColor.color']/*[position() < last()]"
            ).nodes,
            any(ml.nlu_classifier(..display_text).intents,
                .name == "cred_theft" and .confidence != "low"
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://blog.reconinfosec.com/zoom-events-phishing

Raw Content

name: "Zoom Events newsletter abuse"
description: "Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites."
type: "rule"
severity: "medium"
references:
  - "https://blog.reconinfosec.com/zoom-events-phishing"
source: |
  type.inbound
  and sender.email.email == "noreply-zoomevents@zoom.us"
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
  
  // extract the actor controlled message from the email body
  and any(html.xpath(body.html,
                     "//div[@class='eb-content css-1l7xmti']//td[@data-dynamic-style-background-color='email.bodyColor.color' and @style='border-radius: 8px; background-color: rgb(255, 255, 255);']"
          ).nodes,
          // look at the content before the copyright footer in the template and pass it to NLU to see if it's cred theft 
          any(html.xpath(.,
                         "//td[@data-dynamic-style-background-color='email.bodyColor.color']/*[position() < last()]"
              ).nodes,
              any(ml.nlu_classifier(..display_text).intents,
                  .name == "cred_theft" and .confidence != "low"
              )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Free subdomain host"
  - "Social engineering"
  - "Impersonation: Brand"
detection_methods:
  - "Header analysis"
  - "HTML analysis"
  - "Natural Language Understanding"
  - "URL analysis"
id: "c8fce846-4745-597d-a90c-4c788dcb402a"