Skip to content
Threat Feed
medium advisory

Zoom High Video Latency Potentially Indicating Remote Employment Fraud

This analytic identifies Zoom users exhibiting high video latency, a potential indicator of Remote Employment Fraud (REF), by analyzing Zoom logs for average and overall latency and highlighting users with latency exceeding 300ms.

This detection focuses on identifying Zoom users exhibiting unusually high video latency, which can be an indicator of Remote Employment Fraud (REF). Threat actors engaged in REF often operate from locations with suboptimal network infrastructure or utilize network manipulation techniques that result in elevated latency. The detection analyzes Zoom logs to identify users whose video streams exhibit an average latency exceeding 300ms, a threshold that, while potentially indicative of a simple network issue, when combined with other indicators, may suggest fraudulent activity. The detection leverages Zoom logs ingested using Splunk Connect for Zoom. Initial version was released on 2026-04-15.

Attack Chain

  1. Attacker gains unauthorized access to a legitimate employee's Zoom account or creates a fraudulent account.
  2. The attacker initiates a Zoom meeting or joins an existing meeting.
  3. During the meeting, the attacker may be using a compromised or remote machine with a high-latency network connection.
  4. Zoom logs record the high video latency associated with the attacker's account, specifically in the payload.object.participant.qos{}.details.avg_latency field.
  5. The Splunk detection identifies the high latency event, flagging the associated email address.
  6. Analysts investigate the flagged user, correlating the high latency with other suspicious activities.
  7. Risk scoring increases for the user account based on high video latency.
  8. If REF is confirmed, the compromised account is terminated, and access is revoked.

Impact

Successful REF can lead to financial losses, data breaches, and reputational damage for organizations. Although high latency alone is not definitive evidence of REF, it serves as a valuable indicator when correlated with other suspicious activities. This detection helps security teams identify potentially compromised accounts and prevent further fraudulent activities. The number of potential victims is dependent on the number of compromised accounts within the organization.

Recommendation

  • Deploy the Sigma rule Detect Zoom High Video Latency to your SIEM to identify potentially fraudulent accounts based on high video latency.
  • Enable Zoom logging and ingest logs using Splunk Connect for Zoom (https://splunkbase.splunk.com/app/4961) to ensure the availability of necessary data for this detection.
  • Tune the latency threshold in the Sigma rule (overall_latency>300) to align with your environment baseline and reduce false positives.
  • Investigate any alerts generated by this detection and correlate them with other security events to identify potential Remote Employment Fraud.

Detection coverage 2

Detect Zoom High Video Latency

medium

Detects high video latency from Zoom logs, potentially indicating Remote Employment Fraud.

sigma tactics: credential_access techniques: T1078 sources: webserver, linux

Detect Zoom User with Consistently High Latency

medium

Detects a Zoom user that consistently exhibits high video latency across multiple Zoom sessions.

sigma tactics: credential_access techniques: T1078 sources: webserver, linux

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

email

TypeValue
email*