This rule detects inbound messages that contain links pointing to Loom HTML files, which can be used to deliver malicious content or to bypass security controls by leveraging Loom’s legitimate platform. It examines the inbound message content (body.current_thread.links) and applies a regex against the href_url.path to identify paths that match /loom/[^\/]+\.html. The presence of such a path triggers a credential-phishing signal because attackers often host convincing Loom-like pages to steal credentials or prompt users to take actions under the guise of legitimate Loom workflows. The rule is categorized under Credential Phishing with the tactics of Impersonation: Brand and Social engineering, and uses HTML analysis (to parse links) and URL analysis (path-based pattern matching) as detection methods. A match occurs when a message contains a link whose path conforms to the Loom HTML file pattern. Potential risk includes attackers delivering convincing Loom-hosted pages that mimic the brand, potentially leading to credential theft or information leakage. Mitigations include enabling URL reputation checks, applying web-filtering or content-sandboxing to Loom-related links, implementing brand-impersonation checks, user education on phishing, and tightening regex coverage (e.g., case-insensitive matching and handling variations such as encoded or shortened paths). This rule can be complemented by domain reputation feeds for loom.io or related Loom endpoints and by monitoring for related credential-theft indicators in inbound communications.