This inbound rule detects messages containing specific malicious URLs in the body by validating the SHA-256 hash of each href_url.url against an auto-managed IOC list. The IOCs are maintained by the private threat intelligence pipeline and are not manually editable. The rule triggers when type.inbound messages have any linked URL whose SHA-256 hash matches one of the two observed Zoom impersonation URLs. Detected indicators map to Credential Phishing and Malware/Ransomware campaigns. Detection methods include URL analysis and content analysis. The rule is stored in an auto-generated file path and uses the hash-based match against the IOC set. It applies to Network and Web contexts, and is relevant to Application data if inside an app that processes inbound messages. Attack techniques include Evasion and Social engineering. Keywords include: malicious URL, Zoom impersonation, phishing, IOC, URL hashing.