The rule aims to detect phishing attempts utilizing DocuSign branding in attachments without including legitimate DocuSign links. It identifies emails from untrusted sources containing image or PDF attachments, and checks for the presence of DocuSign logos or references within the attachments that may indicate credential theft. The rule leverages both header analysis to ascertain the legitimacy of the sender and the content of the email body and attachments to detect potential phishing indicators, which include scrutinizing the links to ensure they do not lead to legitimate DocuSign domains. Furthermore, it employs various techniques like Natural Language Understanding (NLU) and Optical Character Recognition (OCR) to analyze file contents for suspicious keywords and intents related to credential theft, ultimately aiming to minimize false positives through sender profile analysis.