This detection rule targets phishing attempts that impersonate the brand DocuSign by analyzing inbound messages for certain characteristics. It specifically looks for unsolicited messages that contain a DocuSign logo and QR code language, along with an embedded QR code. To qualify as malicious, the rule enforces a maximum message length of 1000 characters and no attachments. The text must include the presence of phrases related to QR codes and scanning, verified against a computer vision model that detects the DocuSign logo in the content. Furthermore, it checks whether the sender is a known trusted domain and negates the rule if DMARC authentication passes for those domains. If not, any past malicious or spam messages from the sender will also contribute to the evaluation. The rule effectively combines parameters across the message content, sender profiling, and advanced detection methods to identify potential credential phishing attempts impersonating DocuSign.