Adversaries may disable Zoom’s end-to-end encryption to exfiltrate sensitive data undetected during meetings. SOC teams should proactively hunt for this behavior as it indicates potential data leakage and could signal malicious activity within Azure Sentinel.
KQL Query
ZoomLogs
| where Event =~ "account.settings_updated"
| extend NewE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
| extend OldE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])
id: e4779bdc-397a-4b71-be28-59e6a1e1d16b
name: Zoom E2E Encryption Disabled
description: |
'This alerts when end to end encryption is disabled for Zoom meetings.'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- Discovery
relevantTechniques:
- T1040
query: |
ZoomLogs
| where Event =~ "account.settings_updated"
| extend NewE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
| extend OldE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others" ]Scenario: Scheduled Zoom Meeting Export Job
Description: A system administrator runs a scheduled job to export meeting records or logs, which temporarily disables E2E encryption during the export process.
Filter/Exclusion: Exclude events where the meeting is part of a scheduled export task using the zoom_export_job_id field or check for the presence of a known export job name in the event context.
Scenario: Zoom Integration with Third-Party App (e.g., Microsoft Teams)
Description: A Zoom meeting is joined via a third-party app like Microsoft Teams, which may bypass E2E encryption for interoperability reasons.
Filter/Exclusion: Exclude meetings where the join source is a third-party app (e.g., join_source = "teams") or check for the presence of a known integration tool in the event metadata.
Scenario: Zoom Admin Panel Configuration Change
Description: An admin manually disables E2E encryption for a specific meeting or user group via the Zoom admin console during a configuration update.
Filter/Exclusion: Exclude events where the action is performed by an admin account (e.g., user_role = "admin") or where the change is part of a known configuration update task.
Scenario: Zoom Webinar with Non-E2E Enabled Participants
Description: A webinar is hosted where some participants are using non-E2E enabled clients (e.g., legacy Zoom clients), which may cause the system to report E2E encryption as disabled.
Filter/Exclusion: Exclude events where the meeting type is a webinar (meeting_type = "webinar") or where the client version is known to not support E2E encryption.
Scenario: Zoom Meeting with External Sharing (e.g., Screen Share)
Description: During a Zoom meeting, a user shares their screen, which may temporarily disable E