This rule detects potentially malicious messages from Zoom Docs that originate from new or unrecognized email addresses. It specifically focuses on emails where the sender is purportedly from Zoom (with domain 'zoom.us') but has not been previously observed or noted as trusted by the organization. The detection mechanism involves extracting the sender's email address using a regex pattern from the body of the email, analyzing its domain against a list of known organizational domains, and checking for matches against known free email providers to determine legitimacy. The rule seeks to mitigate risks associated with credential phishing, particularly through social engineering tactics that exploit document sharing services.