Adversaries may add malicious domains to the Zoom domain login whitelist to bypass authentication controls and execute phishing or credential theft campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics early.
KQL Query
ZoomLogs
| where Event =~ "account.settings_updated"
| extend NewDomains = columnifexists("payload_object_enforce_logon_domains", "")
| where isnotempty(NewDomains)
| project TimeGenerated, Event, User, NewDomains
| extend timestamp = TimeGenerated, AccountCustomEntity = User
id: 29752996-e85d-4905-a0e1-a7dcdfcda283
name: New domain added to Whitelist
description: |
'This hunting query identifies new domains added to the domain login whitelist in Zoom.'
requiredDataConnectors: []
tactics:
- Persistence
relevantTechniques:
- T1098
query: |
ZoomLogs
| where Event =~ "account.settings_updated"
| extend NewDomains = columnifexists("payload_object_enforce_logon_domains", "")
| where isnotempty(NewDomains)
| project TimeGenerated, Event, User, NewDomains
| extend timestamp = TimeGenerated, AccountCustomEntity = User
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Community
categories:
domains: [ "Security - Other" ]Scenario: A system administrator adds a new domain to the Zoom domain whitelist during routine maintenance or user onboarding.
Filter/Exclusion: Exclude events where the domain is added by a known admin account (e.g., [email protected]) or during scheduled maintenance windows (e.g., job_name = "Zoom Whitelist Update").
Scenario: A scheduled job or automation tool (e.g., Ansible, Puppet, or a custom script) updates the Zoom domain whitelist with a new domain for compliance or user access.
Filter/Exclusion: Exclude events where the source IP or user agent matches the automation tool’s known identifiers (e.g., source_ip = 10.0.0.5 or user_agent = "Ansible") or where the action is part of a known automation task (e.g., task_name = "Zoom Domain Whitelist Sync").
Scenario: A user manually adds their own domain to the Zoom whitelist for personal use or testing.
Filter/Exclusion: Exclude events where the domain is associated with a user account that is not an admin (e.g., user_email NOT LIKE '%@company.com%') or where the domain is a subdomain of the company’s primary domain (e.g., domain LIKE '%.company.com').
Scenario: A third-party service or integration (e.g., Okta, Azure AD, or a SaaS provider) automatically adds a domain to the Zoom whitelist during a sync or configuration update.
Filter/Exclusion: Exclude events where the domain is managed by an external identity provider (e.g., domain LIKE '%okta.com%' or domain LIKE '%azure.com%') or where the action is initiated by a known integration tool (e.g., source_system = "Okta") or source_system = "Azure AD".
**Scenario