Detects inbound messages that appear to originate from Zoom's legitimate sending infrastructure (no-reply@zoom.us) but use a reply-to address with a domain registered recently. The rule checks: (1) the sender matches the known Zoom no-reply address, (2) the Reply-To header contains a domain, and (3) a Whois lookup on that domain shows days_old < 45. When all conditions are met, the rule flags potential abuse of Zoom's service for malicious purposes such as phishing or brand impersonation. This leverages sender analysis, header analysis, and Whois-based domain age to identify uneasy combinations of legitimate branding with newly registered domains used to misdirect replies. The severity is medium and it targets social engineering and evasion techniques. False positives may include legitimate campaigns using new domains or temporary testing infrastructure; mitigations include SPF/DKIM checks, reputation scoring for the reply-to domain, and correlation with Zoom infrastructure data to confirm legitimacy. The rule serves as an ingress warning to rapidly isolate suspicious campaigns attempting to leverage Zoom branding.