This detection rule aims to identify phishing attempts masquerading as legitimate DocuSign notifications, focusing on anomalies such as new reply-to addresses and suspicious sender or document names. It applies various checks including sender authentication, the presence of email attachments, and the content of the email itself. Specifically, the rule detects emails from the DocuSign domain that have odd reply-to addresses which have not previously interacted with the organization. Key aspects include examining the subject lines for common phishing triggers, analyzing sender display names for signs indicating impersonation, and verifying the classification of previous emails associated with these reply-to addresses. The rule targets potential social engineering attacks and business email compromise (BEC), particularly looking for clues that indicate malicious intent. The analysis is extensive, incorporating sender display analysis, header validations, and content parsing to effectively flag potentially harmful communications before they can lead to breaches or fraud efforts.