diff --git a/detection-rules/link_zoom_docs_direct.yml b/detection-rules/link_zoom_docs_direct.yml
new file mode 100644
index 00000000000..92c0f51d51c
--- /dev/null
+++ b/detection-rules/link_zoom_docs_direct.yml
@@ -0,0 +1,27 @@
+name: "Link: Direct link to Zoom Docs from Non-Zoom Sender"
+description: "Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization "
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // contains a link to zoom docs
+  and any(body.links, .href_url.domain.domain == "docs.zoom.us")
+  // is the only link to zoom
+  and length(filter(body.links, .href_url.domain.root_domain == "zoom.us")) == 1
+  // not from zoom.us
+  and not (
+    sender.email.domain.root_domain == "zoom.us"
+    and headers.auth_summary.dmarc.pass
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Impersonation: Brand"
+detection_methods:
+  - "Header analysis"
+  - "URL analysis"
+  - "Sender analysis"
+id: "5c6362db-62e0-56c9-b988-ad17a2738a47"