This detection rule identifies potential phishing emails that impersonate DocuSign by employing embedded images of the DocuSign logo and using a sender address that does not originate from a recognized DocuSign domain. Key characteristics of the detection include verifying that there are no valid DocuSign links present in the email, analyzing attachments to ensure they are either absent or consist solely of small image files, and extracting text from images using optical character recognition (OCR) to find phrases typically associated with DocuSign. The rule also examines the presence of malicious or spam indicators associated with the sender, checks for responses to previous legitimate emails, and ensures the absence of false positives. Moreover, it negates trusted senders unless they have failed DMARC authentication, adding an additional layer of verification to exclude reliable communications. Overall, the rule employs a range of detection methods including computer vision and natural language understanding to enhance its effectiveness in identifying fraudulent emails.