This detection rule is designed to identify phishing attempts where attackers impersonate Zoom meeting invites containing suspicious links that do not originate from legitimate Zoom domains. It analyzes inbound messages to check for several characteristics: the presence of specific Zoom-related language, the absence of legitimate recipient details (i.e., 'Undisclosed recipients' or missing recipients), and suspicious link patterns. The core of the detection looks for message content that indicates phishing attempts, including specific keywords that are commonly associated with Zoom meetings such as 'Zoom meeting', 'Meeting ID', and 'Participants'. The rule also evaluates links within the emails to ensure they are not from reputable Zoom domains and examines domain names for possible indicators of malicious intent (e.g., certain top-level domains or known phishing characteristics). Furthermore, it ensures that auto-generated meeting summaries, which could falsely trigger the detection, are excluded from consideration. By leveraging Natural Language Understanding (NLU) and URL analysis, the rule aims to provide effective protection against phishing threats under the guise of legitimate Zoom communications.