This detection rule identifies potential phishing attempts where unauthorized messages impersonate Xodo Sign by including the phrase 'Processed by Xodo Sign' in the body of the message. Specifically, this rule targets messages that fail DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication, ensuring that legitimate emails from eversign.com pass the verification, while those from other domains are flagged. The rule employs multiple detection techniques, including content analysis to inspect the message text, header analysis to evaluate the authenticity of the sender's domain, and sender analysis to discern whether the emails originate from a trusted source. By focusing on brand impersonation tactics and leveraging common social engineering strategies, this detection rule provides a medium-severity alert to help protect users from credential phishing attacks. This proactive measure enhances overall email security by notifying administrators of suspicious activities that might compromise sensitive information.