High Severity

Brand impersonation: Zoom via lookalike domain

Labels

Credential Phishing

Impersonation: Brand

Description

Message contains a single link which attempts to spoof a 'zoom' link, sent from a free email provider to a single recipient.

References

No references.

Sublime Security

Created Feb 5th, 2026 • Last updated Feb 5th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.current_thread.links,
        not (
          .href_url.domain.root_domain in (
            "zoom.us",
            "zoom.com",
            "zoominternet.net",
            "profitzoom.net",
            "zoomtown.com"
          )
          or .display_url.domain.root_domain in (
            "zoom.us",
            "zoom.com",
            "zoominternet.net",
            "profitzoom.net",
            "zoomtown.com"
          )
        )
        // zoom in the subdomain or sld
        and (
          strings.contains(.href_url.domain.sld, "zoom")
          or strings.contains(.href_url.domain.subdomain, "zoom")
          or strings.contains(.display_url.domain.sld, "zoom")
          or strings.contains(.display_url.domain.subdomain, "zoom")
        )
)
and length(body.current_thread.links) == 1
and sender.email.domain.root_domain in $free_email_providers
and length(recipients.to) == 1
and not subject.is_forward

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.