This detection rule is designed to identify potential HR impersonation attacks executed through fake e-signature messages originating from established e-signature platforms like DocuSign and HelloSign. It inspects inbound messages that lack any attachments and verifies that the sending email domain aligns with those known to be associated with authorized e-signature services. Additionally, it confirms that the messages either pass SPF or DMARC authentication checks, which helps mitigate spoofing attempts. A key feature of the rule is its focus on the message body, looking for language indicative of an HR impersonation scheme, such as references to 'HR', 'employee relations', or associated urgency requests, which may signal credential theft intent. The rule goes further to eliminate false positives by excluding messages where replies come from known legitimate domains within the organization. Lastly, it ensures that legitimate HR communications aren't flagged erroneously by checking for the presence of replies or references in the email chain.