This detection rule identifies phishing attempts that masquerade as e-signature requests, often using misleading document-sharing language and suspicious formatting within the message body. The rule utilizes a combination of key string patterns, including variations of legitimate document platforms (e.g., 'DocuSign', 'Adobe Sign', etc.) to flag potentially malicious emails. Additionally, it checks for abnormal HTML structures that are frequently seen in phishing emails, such as excessive padding, unusual repeated HTML patterns, and mailto link counts indicating spam behavior. It applies conditions to validate links and attachments for phishing indicators while also profiling senders to ensure only new or malicious senders trigger alerts. The rule aims to mitigate the risk of credential theft through fraudulent e-signature documents by combining analysis methods focused on content, headers, HTML structure, and URL scrutiny.