This detection rule identifies potentially malicious PDF attachments that impersonate DocuSign by analyzing their content for specific logos and evaluating the domains linked within the documents. The focus is on PDF files that contain a DocuSign logo and are linked to newly created domains (created within the last three days). The rule uses a combination of techniques, including logo detection, URL analysis, and WHOIS data to verify the age of the domains. Additionally, it evaluates the sending domain against a list of high-trust domains to filter out legitimate communications by excluding cases where the sender's domain is trusted but fails DMARC authentication. It also aims to exclude cases that might involve a bulk email scenario, particularly those where the 'via' terminology appears in the display name, which often indicates multi-layered email delivery that can obscure the real sender.