This detection rule is designed to identify phishing attempts using lookalike domains that impersonate Zoom. The rule triggers when an inbound message contains a single link that appears to spoof a legitimate Zoom URL, specifically when it is sent from a free email provider to a single recipient. To accomplish this, the rule checks the links in the message body to ensure they do not originate from known legitimate Zoom domains, such as zoom.us or zoom.com, among others. If the domain contains 'zoom' in the second-level domain or subdomain, and if the message has a single link and is not a forwarded email, the detection rule will flag it. This rule primarily targets credential phishing methodologies that abuse brand impersonation strategies. It utilizes URL and sender email analysis to ascertain the potential risks associated with the message.