Detection rules › Sublime MQL
Brand impersonation: Zoom via lookalike domain
Message contains a single link which attempts to spoof a 'zoom' link, sent from a free email provider to a single recipient.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Free email provider, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| recipients |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and any(body.current_thread.links,
not (
.href_url.domain.root_domain in (
"zoom.us",
"zoom.com",
"zoominternet.net",
"profitzoom.net",
"zoomtown.com"
)
or (
.display_url.domain.root_domain is not null
and .display_url.domain.root_domain in (
"zoom.us",
"zoom.com",
"zoominternet.net",
"profitzoom.net",
"zoomtown.com"
)
)
)
// zoom in the subdomain or sld
and (
strings.contains(.href_url.domain.sld, "zoom")
or strings.contains(.href_url.domain.subdomain, "zoom")
or strings.contains(.display_url.domain.sld, "zoom")
or strings.contains(.display_url.domain.subdomain, "zoom")
)
)
and length(distinct(body.current_thread.links, .href_url.url)) == 1
and sender.email.domain.root_domain in $free_email_providers
and length(recipients.to) == 1
and not subject.is_forward
Detection logic
Scope: inbound message.
Message contains a single link which attempts to spoof a 'zoom' link, sent from a free email provider to a single recipient.
- inbound message
any of
body.current_thread.linkswhere all hold:none of:
- .href_url.domain.root_domain in ('zoom.us', 'zoom.com', 'zoominternet.net', 'profitzoom.net', 'zoomtown.com')
all of:
- .display_url.domain.root_domain is set
- .display_url.domain.root_domain in ('zoom.us', 'zoom.com', 'zoominternet.net', 'profitzoom.net', 'zoomtown.com')
any of:
- .href_url.domain.sld contains 'zoom'
- .href_url.domain.subdomain contains 'zoom'
- .display_url.domain.sld contains 'zoom'
- .display_url.domain.subdomain contains 'zoom'
- length(distinct(body.current_thread.links, .href_url.url)) is 1
- sender.email.domain.root_domain in $free_email_providers
- length(recipients.to) is 1
not:
- subject.is_forward
Inspects: body.current_thread.links, body.current_thread.links[].display_url.domain.root_domain, body.current_thread.links[].display_url.domain.sld, body.current_thread.links[].display_url.domain.subdomain, body.current_thread.links[].href_url.domain.root_domain, body.current_thread.links[].href_url.domain.sld, body.current_thread.links[].href_url.domain.subdomain, body.current_thread.links[].href_url.url, recipients.to, sender.email.domain.root_domain, subject.is_forward, type.inbound. Sensors: strings.contains. Reference lists: $free_email_providers.
Indicators matched (11)
| Field | Match | Value |
|---|---|---|
body.current_thread.links[].href_url.domain.root_domain | member | zoom.us |
body.current_thread.links[].href_url.domain.root_domain | member | zoom.com |
body.current_thread.links[].href_url.domain.root_domain | member | zoominternet.net |
body.current_thread.links[].href_url.domain.root_domain | member | profitzoom.net |
body.current_thread.links[].href_url.domain.root_domain | member | zoomtown.com |
body.current_thread.links[].display_url.domain.root_domain | member | zoom.us |
body.current_thread.links[].display_url.domain.root_domain | member | zoom.com |
body.current_thread.links[].display_url.domain.root_domain | member | zoominternet.net |
body.current_thread.links[].display_url.domain.root_domain | member | profitzoom.net |
body.current_thread.links[].display_url.domain.root_domain | member | zoomtown.com |
strings.contains | substring | zoom |