heroui logo

Zoom Events Newsletter Abuse

Sublime Rules

View Source
Summary
This detection rule is designed to identify potentially malicious Zoom Events notifications that may involve credential theft. The rule operates by analyzing inbound emails specifically looking for those sent from the 'noreply-zoomevents@zoom.us' address, ensuring that both SPF and DMARC authentication checks are passed to mitigate false positives from unauthenticated sources. The central part of the detection focuses on the HTML content of the email, extracting text from specified sections of the email body. If this text contains elements that the NLU (Natural Language Understanding) classifier identifies with high confidence as related to credential theft ('cred_theft'), it triggers an alert. Additionally, the rule examines any URLs present in the email for links that point to known free file hosting services or subdomains. This sophisticated multi-layered approach combines header analysis, HTML inspection, URL parsing, and NLU to effectively spot phishing attempts disguised as legitimate Zoom Events notifications.
Categories
  • Identity Management
  • Cloud
  • Web
Data Sources
  • User Account
  • Application Log
  • Network Traffic
Created: 2025-06-24