This detection rule targets malicious emails that include HTML attachments designed to impersonate legitimate software, specifically fake Zoom installers. The rule is triggered when the system identifies an inbound email containing attachments with HTML file extensions or types that are not typically safe (such as .html, .htm, etc.). It further analyzes these attachments for specific content, specifically targeting instances where the text contains requests to download software. A significant aspect is the detection of screenshots or logos that resemble those of Zoom, particularly focusing on high-confidence matches. If the attachment contains a link to an executable (.exe) file that is hosted on a domain that is not part of the organization's trusted domains, the rule will flag the email as suspicious. This rule is particularly sensitive to social engineering tactics that leverage brand impersonation to trick users into executing malicious files. The combination of URL and HTML analysis, alongside natural language processing, enhances the detection capabilities against such threats.