This detection rule is designed to identify fraudulent messages that attempt to impersonate Zoom, focusing particularly on social media links, webinar links, and suspicious domain patterns. It employs a combination of direct link analysis and content examination. The rule activates when it finds specific combinations of social media links related to Zoom, such as links to their Twitter or LinkedIn pages, or other content that indicates the message might be associated with Zoom but originates from a non-legitimate domain. It also checks for content that matches a known format of phishing attempts, specifically looking for references to events and webinars, and high-confidence logo detection indicating Zoom branding. Additional scrutiny is applied when links claim to lead to Zoom's official domains but do not, incorporating analysis against known suspicious top-level domains. Moreover, messages that appear to be replies or forwards are excluded unless they fit specific criteria. Finally, the rule ensures that messages are not mistakenly flagged if they actually originate from legitimate Zoom-affiliated domains confirmed through email authentication checks.