diff --git a/detection-rules/attachment_docusign_image_lure_qr_code.yml b/detection-rules/attachment_docusign_image_lure_qr_code.yml
new file mode 100644
index 00000000000..9eb0ab58c17
--- /dev/null
+++ b/detection-rules/attachment_docusign_image_lure_qr_code.yml
@@ -0,0 +1,91 @@
+name: "Brand impersonation: DocuSign (QR code)"
+description: "Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (.file_type in $file_types_images or .file_type == "pdf")
+          and (
+            any(ml.logo_detect(.).brands,
+                .name == "DocuSign" and .confidence in ("medium", "high")
+            )
+            or any(ml.logo_detect(beta.message_screenshot()).brands,
+                   .name == "DocuSign"
+            )
+          )
+  )
+  and any(attachments,
+          (
+            .file_type in $file_types_images
+            or .file_type == "pdf"
+            or .file_type in $file_extensions_macros
+          )
+          and (
+            any(file.explode(.),
+                regex.icontains(.scan.ocr.raw, 'scan|camera')
+                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
+            )
+            or (
+              any(file.explode(.),
+                  .scan.qr.type == "url"
+                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
+                  and any(recipients.to,
+                          strings.icontains(..scan.qr.data, .email.email)
+  
+                          // the recipients sld is in the senders display name
+                          or any(recipients.to,
+                                 strings.icontains(sender.display_name,
+                                                   .email.domain.sld
+                                 )
+                          )
+  
+                          // the recipient local is in the body  
+                          or any(recipients.to,
+                                 strings.icontains(body.current_thread.text,
+                                                   .email.local_part
+                                 )
+                          )
+  
+                          // or the body is null 
+                          or body.current_thread.text is null
+                          or body.current_thread.text == ""
+  
+                          // or the subject contains authentication/urgency verbiage
+                          or regex.contains(subject.subject,
+                                            "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
+                          )
+                  )
+              )
+            )
+          )
+  )
+  
+  and (
+    not any(headers.hops,
+            .authentication_results.compauth.verdict is not null
+            and .authentication_results.compauth.verdict == "pass"
+            and sender.email.domain.root_domain in ("docusign.net", "docusign.com")
+    )
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "PDF"
+  - "QR code"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Header analysis"
+  - "QR code analysis"
+  - "Sender analysis"
+id: "0b16c28a-3f7e-5a90-bea5-473198424431"