Sync from PR#838

New rule: attachment_fake_zoom_installer.yml by @aidenmitchell
#838
Source SHA ddb151c
Triggered by @morriscode

detection-rules/attachment_fake_zoom_installer.yml

@@ -1,6 +1,6 @@
-name: "Attachment: Fake Slack installer"
+name: "Attachment: Fake Zoom installer"
 description: |
-  HTML attachment contains a Slack logo, request language, and a link to an executable. Observed in the wild.
+  HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
 type: "rule"
 severity: "high"
 source: |
@@ -14,7 +14,7 @@ source: |
         )
         and any(file.explode(.),
                 any(ml.logo_detect(file.html_screenshot(..)).brands,
-                    .name == "Slack" and .confidence in ("medium", "high")
+                    .name == "Zoom" and .confidence in ("medium", "high")
                 )
                 and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
                         .name == "request" and .text =~ "download"
@@ -33,7 +33,7 @@ source: |
                      or ..content_type == "text/html"
                    )
                    and any(ml.logo_detect(file.html_screenshot(..)).brands,
-                           .name == "Slack" and .confidence in ("medium", "high")
+                           .name == "Zoom" and .confidence in ("medium", "high")
                    )
                    and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
                            .name == "request" and .text =~ "download"
@@ -59,6 +59,6 @@ detection_methods:
   - "HTML analysis"
   - "Natural Language Understanding"
   - "URL analysis"
-id: "cded2d2f-a5ca-5754-9f2a-d6bdf28baab4"
+id: "840a12a6-a796-5e73-b975-1d1b5f745aea"
 testing_pr: 838
-testing_sha: 795a79d68f90376c7a99e0cd13a25c522898f5df
+testing_sha: ddb151c77a85fa06cd2770b5b50d60f0dde83a33