This detection rule flags inbound messages that impersonate Zoom by combining several red flags: the sender is from no-reply@zoom.us, the reply-to address uses a freemail provider, the reply-to profile is newly created and not solicited, and the greeting line oddly contains the recipient’s email address or domain in place of a normal name. It analyzes the first line of the message body to extract a second token (likely a name) and treats it as an email; it then parses the domain root of that token and compares it to the recipient’s domain root. If there is a domain match, the rule triggers. The approach leverages sender and header analysis plus content inspection to detect potential phishing or spoofing attempts leveraging Zoom branding and freemail reply-to addresses.