This detection rule targets potential Callback Phishing attacks that exploit DocuSign communications by analyzing incoming messages from what appears to be legitimate DocuSign infrastructure. The rule ensures that messages originate from the docuSign.net domain and have passed SPF or DMARC authentication checks, emphasizing the importance of sender legitimacy. It further inspects the content of the message body for the presence of key Callback Phishing phrases associated with well-known brands such as McAfee, Norton, PayPal, eBay, etc. The rule requires the presence of at least three matching terms related to purchases, transactions, and support-related queries. The inclusion of a recognizable phone number format in the message content serves as another factor for identifying suspicious activity. Additionally, the messages are verified for the presence of a DocuSign logo detected via machine learning techniques. The rule leverages multiple detection methods, including content analysis and header scrutiny, to effectively flag potential phishing attempts disguised in legitimate communication channels.