Detection rules › Sublime MQL
Link: Direct link to Zoom Docs from non-Zoom sender
Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Impersonation: Brand |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
// contains a link to zoom docs
and any(body.links, .href_url.domain.domain == "docs.zoom.us")
// is the only link to zoom
and length(filter(body.links, .href_url.domain.root_domain == "zoom.us")) == 1
// not from zoom.us
and not (
sender.email.domain.root_domain == "zoom.us"
and headers.auth_summary.dmarc.pass
)
Detection logic
Scope: inbound message.
Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization
- inbound message
any of
body.linkswhere:- .href_url.domain.domain is 'docs.zoom.us'
- length(filter(body.links, .href_url.domain.root_domain == 'zoom.us')) is 1
not:
all of:
- sender.email.domain.root_domain is 'zoom.us'
- headers.auth_summary.dmarc.pass
Inspects: body.links, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.domain | equals | docs.zoom.us |
body.links[].href_url.domain.root_domain | equals | zoom.us |
sender.email.domain.root_domain | equals | zoom.us |