This rule focuses on detecting emails that impersonate the well-known electronic signature platform, DocuSign, in a phishing attack. It identifies various indicators associated with phishing attempts, including altered sender email addresses closely resembling official DocuSign domains, variations in display names, and suspicious email content that mimics legitimate DocuSign communications. The detection logic includes checks for known DocuSign branding within the email body and links that lead to domains not associated with DocuSign, helping to distinguish between genuine and malicious communications. Focus is placed on identifying common tactics used in impersonation schemes, including the use of lookalike domains and common social engineering techniques to manipulate recipients into providing sensitive information or clicking on unsafe links. Thus, the rule targets potential phishing threats effectively while minimizing false positives through checks against trusted sender domains and known configurations of legitimate emails.