This rule is designed to detect potential brand impersonation attacks specifically targeting DocuSign, a widely used electronic signature platform. The detection mechanism focuses on PDF attachments that contain DocuSign's logo but do not link to recognized or legitimate domains, which is a common characteristic of credential phishing schemes. The rule employs several detection methods, such as file analysis and URL analysis, to scrutinize the content and structure of the PDF attachments. When a PDF file is received in an inbound message and analyzed, it triggers if the following conditions are met: the attachment is a PDF file, the DocuSign logo is detected within the document, and the URLs extracted from the document do not belong to reputable domains, including a whitelist of trusted entities and organizations. Additionally, the PDFs are leveraged to classify text using Natural Language Understanding (NLU) to identify any references to 'DocuSign' and analyze requests made within the document. This multi-faceted approach helps security teams identify malicious attempts to impersonate the DocuSign brand and protect users from potential credential theft.