This rule detects brand-impersonation phishing that uses Zoom as the lure. It looks for inbound messages from free email providers that mention 'zoom' in the subject or body and contain at least one link whose href_url.url includes 'zoom.us' while the underlying domain (href_url.domain.root_domain) and the link's visible domain (display_url.domain.root_domain) are not 'zoom.us' or 'zoom.com'. This combination flags scenarios where a user sees a Zoom link but is redirected to a malicious or unrelated site. The rule uses content analysis (presence of the word 'zoom' in message text) and URL analysis (domain mismatches between the link target and display) to identify potential credential phishing or malware delivery. It is focused on inbound messaging and link deception, and complements user awareness and URL filtering as a mitigation.