This detection rule targets malicious attempts to impersonate the brand DocuSign, utilizing image-based deceptive practices and QR codes in emails from unsolicited senders. The rule evaluates inbound email messages that may contain attachments, specifically images or PDF files, and uses machine learning (ML) techniques to detect the presence of the DocuSign logo with a specified confidence level. To enhance accuracy, it examines any embedded QR codes or text within images, identifying keywords related to scanning or QR codes, whilst filtering out benign images captured by common mobile devices (both Android and Apple) to reduce false positives. Additionally, it checks for authentication results indicating a legitimate sender from recognized DocuSign domains, ensuring that the sender is indeed not part of a phishing attempt after confirming the message is not solicited. The focus is on credential phishing tactics, where the detection aligns with social engineering and brand impersonation tactics. The methodology includes header analysis, computer vision for logo detection, and QR code data analysis to ascertain the authenticity and security of communication involving DocuSign.