Adversaries may be using link sharing across multiple Zoom chat channels to exfiltrate data or deploy malware, leveraging the platform’s communication channels for lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert command and control or data exfiltration activities.
KQL Query
let threshold = 3;
ZoomLogs
| where Event =~ "chat_message.sent"
| extend Channel = tostring(parse_json(ChatEvents).Channel)
| extend Message = tostring(parse_json(ChatEvents).Message)
| where Message matches regex "http(s?):\\/\\/"
| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId
| extend ChannelCount = arraylength(Channels)
| where ChannelCount > threshold
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])
id: 1218175f-c534-421c-8070-5dcaabf28067
name: Suspicious link sharing pattern
description: |
'Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time.
Adjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.'
severity: Low
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Reconnaissance
relevantTechniques:
- T1598
query: |
let threshold = 3;
ZoomLogs
| where Event =~ "chat_message.sent"
| extend Channel = tostring(parse_json(ChatEvents).Channel)
| extend Message = tostring(parse_json(ChatEvents).Message)
| where Message matches regex "http(s?):\\/\\/"
| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId
| extend ChannelCount = arraylength(Channels)
| where ChannelCount > threshold
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others" ]Scenario: A system administrator shares a legitimate internal documentation link across multiple Zoom chat channels during a team onboarding process.
Filter/Exclusion: Exclude links that match internal documentation URLs (e.g., https://internal-docs.example.com/*) or are shared by users with admin privileges.
Scenario: A scheduled job or automation tool (e.g., Ansible, Jenkins) shares a link to a shared resource (e.g., a shared drive or cloud storage) across multiple Zoom channels to notify teams of updates.
Filter/Exclusion: Exclude links that match known automation tool URLs or are shared by system accounts (e.g., [email protected], [email protected]).
Scenario: A user shares a link to a company-wide training portal across multiple Zoom channels during a scheduled training session.
Filter/Exclusion: Exclude links that match training portal URLs (e.g., https://training.example.com/*) or are shared during specific time windows (e.g., 9:00–10:00 AM).
Scenario: A customer support team shares a link to a support portal across multiple Zoom channels to assist users with common issues.
Filter/Exclusion: Exclude links that match support portal URLs (e.g., https://support.example.com/*) or are shared by support team members (e.g., [email protected]).
Scenario: A user shares a link to a shared calendar or scheduling tool (e.g., Google Calendar, Microsoft Teams) across multiple Zoom channels to coordinate meetings.
Filter/Exclusion: Exclude links that match calendar tool URLs (e.g., https://calendar.google.com/*, https://teams.microsoft.com/*) or are shared by users with calendar management permissions.