This detection rule targets potential phishing attempts using HelloSign by identifying unsolicited emails from newly observed sender addresses. It processes various message components, including HTML bodies and email headers, to extract sender information. The rule evaluates whether the sender's email originates from the HelloSign domain and checks their authentication status using SPF and DMARC. It further analyzes if the sender's email is previously known or if it belongs to common free email providers. By using regex and conditions, it effectively flags emails that could be risky based on established precedents of known recipients, organizational domains, and sender domains. The rule employs multiple techniques, including HTML content analysis and sender validation, to reduce the risk of credential phishing via social engineering tactics.