This rule aims to detect malicious email communications that masquerade as legitimate notifications from Adobe Sign, specifically targeting replies to unsolicited addresses. The detection criteria focus on emails with well-known sender addresses (specifically those from Adobe's official infrastructure) while analyzing the reply-to address. If the reply-to address has no prior engagement with the organization (determined by checking if it has never sent communications to the organization and has not been classified as benign), this indicates a potential security risk. The rule leverages header analysis and sender analysis to validate the authenticity of incoming emails and detect potential Business Email Compromise (BEC) or phishing attempts. By identifying unrecognized reply-to addresses in conjunction with legitimate Adobe Sign notifications, the rule helps to establish a protective mechanism against fraudulent communications that may exploit organizational trust in reputed service providers.