This rule is designed to detect email messages that impersonate the video conferencing service, Zoom, with a strict matching criteria for sender display names. The rule will trigger if the sender's display name exactly matches 'zoom', 'zoom video communications, inc.', or 'zoom call'. It further refines its detection by ensuring that the sender's email domain does not belong to known legitimate Zoom domains (zoom.us, zuora.com, zoomgov.com, zoom.com). The rule also incorporates checks to identify whether the email is coming from a known free email provider and whether the organization has previously communicated with the sender’s email address or domain, thus flagging only unsolicited emails from new contacts. Designed primarily for inbox protection against credential phishing attacks, it employs sender analysis to ascertain the legitimacy of communications and protect users from brand impersonation attacks leveraging social engineering tactics.