This detection rule aims to identify potentially malicious DocuSign emails that originate from newly created reply-to domains. The criteria stipulate that the email must be from a verified DocuSign domain (docusign.net) and must pass SPF and DMARC checks for email authentication. Additionally, it differentiates emails based on their reply-to address. If the reply-to domain is one that has not had any prior communications with the organization (as indicated by solicitation status), and is less than 30 days old, the email is flagged. Crucially, the rule also checks that the subject line does not start with 'Completed:', indicating that it is likely an ongoing transaction, not a finalized process. Given the evolving tactics of credential phishing and business email compromise (BEC), this rule takes a proactive stance in analyzing incoming emails for signs of impersonation and social engineering, targeting users more effectively and preventing potential attacks before they reach the inbox.