The rule detects potentially malicious emails from HelloSign that notify users of document sharing requests. It operates by evaluating the sender's email against known legitimate addresses associated with HelloSign, specifically 'noreply@mail.hellosign.com', and confirming that it has passed SPF and DMARC authentication checks. The rule scans the email's subject for specific phrases indicative of phishing attempts, like ' - Signature Requested', while also ensuring that the email doesn't contain known associations with legitimate communications from the organization, primarily to eliminate false positives. Key indicators prompting alerts include suspicious sender names, document type keywords (like 'invoice', 'receipt', 'urgent', etc.), file types, and phrases that suggest urgency or action required. The detection employs string matching and regex patterns to ferret out various potential threats that share common tactics leveraged in social engineering and evasion strategies.