Medium Severity
Fake Zoho Sign template abuse
Description
This rule captures credential phishing attempts abusing the Zoho Sign template. The rule looks for artifacts of the Hijacked Zoho link and other template constructs.
References
No references.
Sublime Security
Created Sep 30th, 2024 • Last updated Sep 30th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and 0 < length(body.links) < 10
// Link contains Start Signing
and any(body.links, .display_text == "Start Signing")
// Zoho artifact in html body
and regex.contains(body.html.raw,
'title="Original URL: https:\/\/sign\.zoho\.com\/zsguest\?[^"]*action_type=SIGN\.[^"]*Click or tap if you trust this link\."'
)
// but the Zoho link is not active
and not any(body.links, .href_url.domain.root_domain == "zoho.com")
// and the body thread contains the Sender + recipient domain
and any(recipients.to,
strings.icontains(body.current_thread.text,
strings.concat("Sender\n", .email.domain.domain)
)
)
Playground
Test against your own EMLs or sample data.