This rule is designed to detect callback phishing scams that leverage legitimate Zoom infrastructure. These scams impersonate well-known brands like McAfee, Norton, and PayPal, tricking recipients into believing they need to call fraudulent support lines. The detection criteria are multifaceted: first, it checks that messages originate from the Zoom domain (`zoom.us`) and pass SPF or DMARC authentication checks to ensure legitimacy. Next, the message should contain logos indicative of Zoom through an image analysis intermediary, thereby confirming its authenticity as a Zoom communication. Moreover, the body of the message is analyzed using regular expressions to identify the mention of various brand names associated with tech support or online transactions. The rule also requires that at least three financial or transactional keywords (like 'purchase', 'payment', 'subscription', etc.) are present to further substantiate the phishing nature of the communication. Furthermore, it checks for the presence of phone numbers using regex patterns that are common in scam messages, making it easier to recognize these fraudulent communications. Importantly, the rule includes a safeguard against false positives by excluding legitimate automated meeting summaries from Zoom, ensuring that only genuine suspicious messages are flagged. This comprehensive approach allows organizations to effectively spot potential callback phishing attempts orchestrated via Zoom comments, enhancing their security posture against social engineering attacks.