Zoom Meetings Created Without Passcodes
Detection of Zoom meetings created without a passcode, which are susceptible to Zoombombing and potential disruption or exposure of sensitive information.
This brief focuses on the risk associated with Zoom meetings created without a passcode. When meetings lack this basic security measure, they become vulnerable to "Zoombombing," where unauthorized individuals disrupt the session with offensive or inappropriate content. The Elastic detection rule, published on 2026-04-10, identifies such meetings by monitoring Zoom event logs. This is particularly relevant for organizations using Zoom for internal and external communication, as the lack of a passcode can lead to reputational damage, exposure of sensitive information, and overall disruption of business operations. Ensuring that all meetings are password-protected is a simple yet effective way to mitigate this risk.
Attack Chain
- A Zoom meeting is created by a user without enabling the passcode feature.
- The meeting details (including the meeting ID) are potentially shared publicly or become discoverable through automated tools.
- Attackers or malicious actors identify the unprotected Zoom meeting.
- Attackers join the meeting without any authentication or authorization.
- Once inside the meeting, attackers disrupt the session by sharing inappropriate content (e.g., images, videos, audio).
- Participants within the meeting are exposed to the offensive content, leading to disruption and potential reputational damage.
- The meeting organizer is forced to terminate the session to stop the disruption.
- The organization experiences a loss of productivity and may face public criticism due to the incident.
Impact
Failure to secure Zoom meetings with passcodes can lead to significant disruptions, with potential exposure of sensitive information and reputational damage. While the exact number of victims is difficult to quantify, Zoombombing incidents have affected organizations across various sectors. Successful attacks can result in the shutdown of meetings, loss of productivity, and the need for damage control. The impact extends beyond immediate disruption to potential long-term damage to an organization's reputation and client trust.
Recommendation
- Deploy the Sigma rule provided below to detect Zoom meetings created without a password.
- Enable Zoom Filebeat module to properly ingest the Zoom logs required for detection.
- Review Zoom configuration settings to enforce mandatory passcodes for all future meetings.
- Implement enhanced monitoring and alerting for Zoom meeting creation events to quickly detect and respond to any future instances of meetings being set up without passcodes.
- Educate users on the importance of using passcodes for all Zoom meetings to prevent unauthorized access and potential disruptions.
Detection coverage 2
Zoom Meeting Created Without Passcode
mediumDetects Zoom meetings created without a passcode, which are vulnerable to unauthorized access and disruption.
Zoom Meeting Creation Event Without Password
mediumDetects zoom meeting creation without password
Detection queries are available on the platform. Get full rules →