This rule is designed to detect potential business email compromise (BEC) and phishing attempts via the DocSend service. It focuses on email notifications that originate from reply-to addresses using newly registered domains, suggesting they are potentially fraudulent. To trigger an alert, the rule checks if the sending infrastructure is legitimate, only allowing emails from 'no-reply@docsend.com'. The rule assesses the headers to confirm the SPF and DMARC authentication, ensuring that the email has passed basic sender verification checks. It looks for a reply-to address that has not previously interacted with the recipient’s organization, enhancing the likelihood that the email is a phishing attempt. Additionally, it includes a verification mechanism for the age of the reply-to domain: if it is less than 30 days old, this raises flags. This combination of checks is crucial in identifying emails that could be part of a sophisticated social engineering attack or impersonation attempt.