Medium Severity

Service Abuse: Zoom with freemail reply-to and recipient address in greeting

Labels

Spam

Free email provider

Description

Detects messages impersonating Zoom that use a freemail provider for the reply-to address, have a new and unsolicited reply-to profile, and contain the recipient's email address in the greeting line where a name would normally appear.

References

No references.

Sublime Security

Created May 6th, 2026 • Last updated May 6th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// is from zoom
and sender.email.email == "no-reply@zoom.us"
// has a freemail for a reply-to address
and headers.reply_to[0].email.domain.domain in $free_email_providers
// the reply-to address is new 
and beta.profile.by_reply_to().prevalence == "new"
and not beta.profile.by_reply_to().solicited
// the "greeting" line contains an email address matching the recipient's email root domain
// this is normally a name
and any(regex.iextract(body.current_thread.text,
                       '^\S+\s+(?P<last_word>\S+?),?(?:\n|\z)'
        ),
        strings.parse_email(.named_groups["last_word"]).domain.root_domain == recipients.to[0].email.domain.root_domain
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.