Service abuse: Suspicious Zoom Docs link

Severity: low
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Social engineering, Free file host, Evasion

Event coverage

Message attribute
body
body.links (collection)
sender
sender.email
type

Rule body MQL

type.inbound
and sender.email.domain.root_domain == "zoom.us"
and strings.ends_with(sender.display_name, "Zoom Docs")
and (
  any(html.xpath(body.html, '//h2').nodes,
      // extract the sender email out of the message body
      any(regex.iextract(.display_text,
                         '^(?P<sender_display_name>[^\(]+)\((?P<sender_email>[^\)]+@(?P<sender_domain>[^\)]+))\)'
          ),
          .named_groups["sender_domain"] not in $org_domains
          and .named_groups["sender_email"] not in $recipient_emails
          and .named_groups["sender_email"] not in $sender_emails
          and not (
            .named_groups["sender_domain"] not in $free_email_providers
            and .named_groups["sender_domain"] in $recipient_domains
            and .named_groups["sender_domain"] in $sender_domains
          )
      )
  )
  or any(body.links,
         .href_url.domain.domain == "docs.zoom.us"
         and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                        .href_url.domain.root_domain != 'zoom.us'
                        and .href_url.domain.domain != 'zoom.us'
                 ),
                 (
                   // any of those links domains are new
                   network.whois(.href_url.domain).days_old < 30
                   // go to free file hosts
                   or .href_url.domain.root_domain in $free_file_hosts
                   or .href_url.domain.domain in $free_file_hosts

                   // go to free subdomains hosts
                   or (
                     .href_url.domain.root_domain in $free_subdomain_hosts
                     // where there is a subdomain
                     and .href_url.domain.subdomain is not null
                     and .href_url.domain.subdomain != "www"
                   )
                   // go to url shortners
                   or .href_url.domain.root_domain in $url_shorteners
                   or .href_url.domain.domain in $url_shorteners
                   or (
                     // find any links that mention common "action" words
                     regex.icontains(.display_text,
                                     '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
                     )
                   )
                 )
         )
  )
)

Detection logic

Scope: inbound message.

Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.

inbound message
sender.email.domain.root_domain is 'zoom.us'
sender.display_name ends with 'Zoom Docs'
any of:
- any of html.xpath(body.html, '//h2').nodes where:
  - any of regex.iextract(.display_text) where all hold:
    
    .named_groups['sender_domain'] not in $org_domains
    .named_groups['sender_email'] not in $recipient_emails
    .named_groups['sender_email'] not in $sender_emails
    not:
    
    all of:
    
    .named_groups['sender_domain'] not in $free_email_providers
    .named_groups['sender_domain'] in $recipient_domains
    .named_groups['sender_domain'] in $sender_domains
- any of body.links where all hold:
  - .href_url.domain.domain is 'docs.zoom.us'
  - any of filter(...) where any holds:
    
    network.whois(.href_url.domain).days_old < 30
    .href_url.domain.root_domain in $free_file_hosts
    .href_url.domain.domain in $free_file_hosts
    all of:
    
    .href_url.domain.root_domain in $free_subdomain_hosts
    .href_url.domain.subdomain is set
    .href_url.domain.subdomain is not 'www'
    .href_url.domain.root_domain in $url_shorteners
    .href_url.domain.domain in $url_shorteners
    .display_text matches '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'

Inspects: body.html, body.links, body.links[].href_url.domain.domain, sender.display_name, sender.email.domain.root_domain, type.inbound. Sensors: html.xpath, ml.link_analysis, network.whois, regex.icontains, regex.iextract, strings.ends_with. Reference lists: $free_email_providers, $free_file_hosts, $free_subdomain_hosts, $org_domains, $recipient_domains, $recipient_emails, $sender_domains, $sender_emails, $url_shorteners.

Indicators matched (5)

Field	Match	Value
`sender.email.domain.root_domain`	equals	`zoom.us`
`strings.ends_with`	suffix	`Zoom Docs`
`regex.iextract`	regex	`^(?P<sender_display_name>[^$]+)\((?P<sender_email>[^$]+@(?P<sender_domain>[^\)]+))\)`
`body.links[].href_url.domain.domain`	equals	`docs.zoom.us`
`regex.icontains`	regex	`(?:view\|click\|show\|access\|download\|goto\|Validate\|Va[il]idar\|login\|verify\|account)`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)