This detection rule analyzes inbound messages originating from Adobe Sign to identify potential callback phishing attempts. It requires that the message be unsolicited or that the sender has a history of sending malicious or spam content without false positives. The email must be from the domain 'adobesign.com', authenticated via SPF or DMARC. The rule then inspects the content of the message body for the presence of at least three callback phishing terms alongside a phone number, while also allowing for the identification of key brand names, such as PayPal and Norton. If the conditions are met (message body fewer than 1750 characters), it flags the message as potential phishing if it satisfies a specific set of criteria regarding the language and presence of a phone number, either in the body or detected through an image's optical character recognition (OCR). Additionally, repeated occurrences of previous email threads in the message body are assessed to limit false positives, enhancing detection accuracy.