diff --git a/detection-rules/link_multistage_docusign.yml b/detection-rules/link_multistage_docusign.yml
index f3e644c7e24..e26e5a6a9be 100644
--- a/detection-rules/link_multistage_docusign.yml
+++ b/detection-rules/link_multistage_docusign.yml
@@ -78,6 +78,10 @@ source: |
                 )
               )
           )
+          or 
+          length(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
+                  .href_url.domain.root_domain not in ("docusign.net", "docusign.com")
+          )) > 0
   )
 attack_types:
   - "Credential Phishing"