This rule is designed to detect potentially malicious emails that contain a direct link to Zoom Docs from a sender outside the Zoom organization. The detection criteria specify that the message must include exactly one link to 'docs.zoom.us', which is a legitimate domain for Zoom documents. It also ensures that this is the only link to a Zoom domain present in the message. Moreover, the sender's email domain must not be 'zoom.us' and should fail the DMARC authentication check, indicating a spoofing attempt. This rule specifically targets phishing attacks that exploit the familiarity of the Zoom brand to trick users into interacting with potentially harmful content. By filtering emails based on link presence and sender verification, this rule mitigates the risk of credential theft and enhances organizational security against social engineering tactics.