This detection rule is designed to identify phishing attempts that impersonate Zoom through the use of specific HTML styling within inbound messages. The rule works by analyzing the HTML content of messages to search for table cells (td elements) that use a distinct blue color (rgb(11,92,255)), which is commonly associated with Zoom's branding. It checks if these cells contain header elements (h1) that reference 'Zoom'. The detection is based on the XPath querying method, combined with string comparison to determine if the display text case-insensitively includes the term 'zoom'. This technique falls under the broader attack type of credential phishing and specifically targets brand impersonation through social engineering tactics. The threat is rated with a medium severity, given the potential for users to be misled and provide sensitive information to attackers posing as a trusted brand.