diff --git a/detection-rules/abuse_docusign_sus_names.yml b/detection-rules/abuse_docusign_sus_names.yml
new file mode 100644
index 00000000000..d36bceb5f71
--- /dev/null
+++ b/detection-rules/abuse_docusign_sus_names.yml
@@ -0,0 +1,18 @@
+name: "Service Abuse: DocuSign Notification with Suspicious Sender or Document Name"
+description: "The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name."
+type: "rule"
+severity: "medium"
+source: "type.inbound\nand length(attachments) == 0\n\n// Legitimate Docusign sending infratructure\nand sender.email.domain.root_domain == 'docusign.net'\nand (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)\nand length(headers.reply_to) > 0\nand not any(headers.reply_to,\n            .email.domain.domain in $org_domains\n            or .email.domain.root_domain in $high_trust_sender_root_domains\n            or .email.domain.root_domain in (\"docusign.net\", \"docusign.com\")\n)\n\n  and length(headers.reply_to) > 0 \n  // reply-to email address has never been sent an email by the org\n  and not (\n    any(headers.reply_to, .email.email in $recipient_emails)\n    // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains\n    or any(filter(headers.reply_to,\n                  // filter the list to only emails that are not in free_email_providers\n                  (\n                    .email.domain.domain not in $free_email_providers\n                    or .email.domain.root_domain not in $free_email_providers\n                  )\n           ),\n           .email.domain.domain in $recipient_domains\n    )\n  )\n  // reply-to address has never sent an email to the org\n  and not (\n    any(headers.reply_to, .email.email in $sender_emails)\n    // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains\n    or any(filter(headers.reply_to,\n                  // filter the list to only emails that are not in free_email_providers\n                  (\n                    .email.domain.domain not in $free_email_providers\n                    or .email.domain.domain not in $free_email_providers\n                  )\n           ),\n           .email.domain.root_domain in $sender_domains\n    )\n  )\n\n// not a completed DocuSign\n// reminders are sent automatically and can be just as malicious as the initial\n// users often decline malicious ones\nand not strings.istarts_with(subject.subject, \"Completed: \")\nand not strings.istarts_with(subject.subject, \"Here is your signed document: \")\nand not strings.istarts_with(subject.subject, \"Voided: \")\nand (\n  // contains the word docusign before the `via Docusign` part\n  regex.icontains(sender.display_name, 'Docusign.*via Docusign$')\n  or strings.icontains(subject.subject, 'sharefile')\n  or strings.icontains(subject.subject, 'helloshare')\n\n  // sender names part of the subject\n  or (\n    // Billing Accounting\n    regex.icontains(sender.display_name,\n                    'Accounts? (?:Payable|Receivable).*via Docusign$',\n                    'Billing Support.*via Docusign$'\n    )\n\n    // HR/Payroll/Legal/etc\n    or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')\n    or regex.icontains(sender.display_name,\n                       '(?:Compliance|Executive|Finance|\\bHR\\b|Human Resources|\\bIT\\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'\n    )\n    or regex.icontains(sender.display_name,\n                       'Corporate Communications.*via Docusign$'\n    )\n    or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')\n    or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')\n    or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')\n    or regex.icontains(sender.display_name,\n                       'Payroll Admin(?:istrator).*via Docusign$'\n    )\n\n    // IT related\n    or regex.icontains(sender.display_name,\n                       'IT Support.*via Docusign$',\n                       'Information Technology.*via Docusign$',\n                       '(?:Network|System)? Admin(?:istrator).*via Docusign$',\n                       'Help Desk.*via Docusign$',\n                       'Tech(?:nical) Support.*via Docusign$'\n    )\n  )\n  // filename analysis\n  // the filename is also contained in the subject line\n  or (\n    // scanner themed\n    regex.icontains(subject.subject, 'scanne[rd]')\n    // image theme\n    or regex.icontains(subject.subject, '_IMG_')\n    or regex.icontains(subject.subject, 'IMG[_-](?:\\d|\\W)+')\n\n    // Invoice Themes\n    or regex.icontains(subject.subject, 'Invoice')\n    or regex.icontains(subject.subject, 'INV\\b')\n    or regex.icontains(subject.subject, 'Payment')\n    or regex.icontains(subject.subject, '\\bACH\\b')\n    or regex.icontains(subject.subject, 'Wire Confirmation')\n    or regex.icontains(subject.subject, 'P[O0]\\W+?\\d+\\\"')\n    or regex.icontains(subject.subject, 'P[O0](?:\\W+?|\\d+)')\n    or regex.icontains(subject.subject, 'receipt')\n    or regex.icontains(subject.subject, 'Billing')\n    or regex.icontains(subject.subject, 'statement')\n    or regex.icontains(subject.subject, 'Past Due')\n    or regex.icontains(subject.subject, 'Remit(?:tance)?')\n    or regex.icontains(subject.subject, 'Purchase Order')\n    or regex.icontains(subject.subject, 'Settlementt')\n\n    // contract language\n    or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')\n    or regex.icontains(subject.subject, 'Claim Doc')\n\n    // Payroll/HR\n    or regex.icontains(subject.subject, 'Payroll')\n    or regex.icontains(subject.subject, 'Employee Pay\\b')\n    or regex.icontains(subject.subject, 'Salary')\n    or regex.icontains(subject.subject, 'Benefit Enrollment')\n    or regex.icontains(subject.subject, 'Employee Handbook')\n    or regex.icontains(subject.subject, 'Reimbursement Approved')\n\n    // \n    // shared files/extenstion/urgency/CTA\n    or regex.icontains(subject.subject, 'Urgent')\n    or regex.icontains(subject.subject, 'Important')\n    or regex.icontains(subject.subject, 'Secure')\n    or regex.icontains(subject.subject, 'Encrypt')\n    or regex.icontains(subject.subject, 'shared')\n    or regex.icontains(subject.subject, 'protected')\n    or regex.icontains(subject.subject, 'Validate')\n    or regex.icontains(subject.subject, 'Action Required')\n    or regex.icontains(subject.subject, 'Final Notice')\n    or regex.icontains(subject.subject, 'Review(?: and| & |\\s+)?Sign')\n    or regex.icontains(subject.subject, 'Download PDF')\n\n    // MFA theme\n    or regex.icontains(subject.subject, 'Verification Code')\n    or regex.icontains(subject.subject, '\\bMFA\\b')\n  )\n)\n"
+attack_types:
+  - "Callback Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"
+  - "Content analysis"
+id: "5e4707cd-1953-5fe2-9a62-34e3026f0336"
+testing_pr: 2094
+testing_sha: cda27bc775e7a3a7b12182b2722c7023ae959985