← Back to Explore
sublimemediumRule
Brand impersonation: Zoom with deceptive link display
Detects messages mentioning Zoom in the subject or body that contain links appearing to go to zoom.us but actually redirect to different domains.
Detection Query
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and any([subject.base, body.current_thread.text], strings.icontains(., "zoom"))
and any(filter(body.current_thread.links,
strings.icontains(.href_url.url, "zoom.us")
),
.href_url.domain.root_domain not in ("zoom.us", "zoom.com")
and .display_url.domain.root_domain not in ("zoom.us", "zoom.com")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Zoom with deceptive link display"
description: "Detects messages mentioning Zoom in the subject or body that contain links appearing to go to zoom.us but actually redirect to different domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and any([subject.base, body.current_thread.text], strings.icontains(., "zoom"))
and any(filter(body.current_thread.links,
strings.icontains(.href_url.url, "zoom.us")
),
.href_url.domain.root_domain not in ("zoom.us", "zoom.com")
and .display_url.domain.root_domain not in ("zoom.us", "zoom.com")
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Impersonation: Brand"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "de5b26b7-24fa-531a-9906-b4391884d133"