This detection rule identifies instances of brand impersonation in emails that attempt to mimic DocuSign templates. It specifically targets HTML table elements representing DocuSign documents that redirect users to non-DocuSign domains. The rule checks that emails are inbound, do not include attachments, and contain a limited number of links. It uses a series of regular expression checks to look for specific DocuSign branding markers (such as 'DocuSign' in various HTML elements) and the traditional blue color scheme associated with the brand, which may indicate a phishing attempt. The rule also incorporates advanced parsing to distinguish between legitimate and spoofed emails by cross-checking the sender’s domain against a list of trusted domains and evaluating their DMARC authentication results, negating trusted domains unless they fail authentication. Additionally, it discards legitimate replies by looking for specific references in the email headers. This comprehensive rule employs multiple detection methods including content analysis and URL checks to effectively mitigate the risk of credential phishing associated with fake DocuSign communications.