This detection rule targets potential DocuSign impersonation attempts via CloudHQ links. It analyzes inbound messages, specifically looking for any share links from the CloudHQ domain that are sent by external email domains. The rule checks if the message contains a link from CloudHQ, particularly those that have a specific path indicating a share link (starting with '/s/'). Furthermore, it scrutinizes the subject line and sender display names for variations of 'DocuSign' using regex, ensuring that attackers do not come from the legitimate CloudHQ domain. Finally, the rule enforces the condition that there can only be one unique CloudHQ link present in the message, thereby reducing false positives from legitimate uses. This detection mechanism effectively correlates multiple analyses, including header, URL, content, and sender information, to identify instances of brand impersonation and credential phishing attacks.