• Sublime Core Feed
High Severity

Attachment: Fake Zoom installer

Labels

Malware/Ransomware
Evasion
HTML smuggling
Impersonation: Brand
Scripting
Social engineering
Archive analysis
Computer Vision
File analysis
HTML analysis
Natural Language Understanding
URL analysis

Description

HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.

References

No references.

Sublime Security
Created Oct 19th, 2023 • Last updated Nov 29th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_type == "html"
          or .content_type == "text/html"
        )
        and any(ml.logo_detect(file.html_screenshot(.)).brands,
                .name == "Zoom" and .confidence in ("medium", "high")
        )
        and any(ml.nlu_classifier(file.parse_html(.).display_text).entities,
                .name == "request" and .text =~ "download"
        )
        and any(file.explode(.),
                any(.scan.url.urls,
                    strings.iends_with(.path, ".exe")
                    and .domain.root_domain not in $org_domains
                )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started