type.inbound
and sender.email.domain.root_domain in $free_email_providers
and any([subject.base, body.current_thread.text], strings.icontains(., "zoom"))
and any(filter(body.current_thread.links,
strings.icontains(.href_url.url, "zoom.us")
),
.href_url.domain.root_domain not in ("zoom.us", "zoom.com")
and .display_url.domain.root_domain not in ("zoom.us", "zoom.com")
)
Playground
Test against your own EMLs or sample data.