This detection rule identifies suspicious email messages that use DocuSign as a landing page for phishing attacks. It analyzes the incoming messages to ensure they originate from valid DocuSign sources and scrutinizes the links contained within these communications. The rule filters messages based on the sender's email domain, ensuring that the source is authenticated via SPF and DMARC. It specifically looks for links that are external to DocuSign and assesses these based on several criteria, such as age, the use of free hosting services, URL shorteners, and common phishing indicators. If the links are determined to be recently registered, redirecting to captcha pages, or leading to known phishing websites, specifically those with keywords like ‘view’ or ‘click’, the rule will flag these messages as potential phishing attempts.