This detection rule identifies email messages containing links to the Zoho Forms service, specifically from unsolicited senders. The detection process involves analyzing the email body for links that point to 'forms.zohopublic.com', which is often utilized by threat actors to create deceptive landing pages for credential phishing attacks. The rule includes various conditions to filter out false positives, such as excluding common marketing messages with excessive links or lengthy text bodies. It also requires that the matching link is unique within the email content to minimize false alerts. Importantly, the rule checks whether the email sender is from a low-trust domain, ensuring that higher-trust domains passing DMARC validation are not mistakenly flagged. This comprehensive approach helps in detecting potential phishing attempts while maintaining a focus on preventing benign emails from being incorrectly categorized as threats.