diff --git a/detection-rules/impersonation_docusign.yml b/detection-rules/impersonation_docusign.yml
index 07654a57f89..5d526b0924f 100644
--- a/detection-rules/impersonation_docusign.yml
+++ b/detection-rules/impersonation_docusign.yml
@@ -301,6 +301,14 @@ source: |
         )
       )
     )
+    or (
+      strings.icontains(body.current_thread.text, 'Docusign')
+      and (
+        regex.icontains(body.html.raw, '<title>[^<]*Easearch[^<]*</title>')
+        or regex.icontains(body.html.raw, '<spacing>[^<]*(?:Docusign|Document)')
+        or regex.icontains(body.html.raw, '{(?:domain|randomNumber\d?)}')
+      )
+    )
   )
   
   // identifies the main CTA in the email, eg "Review now" or "Review document"
@@ -347,6 +355,8 @@ source: |
                      or strings.icontains(.display_text, "Document")
                    )
                  )
+                 or strings.icontains(.display_text, "complete tasks")
+                 or strings.icontains(.display_text, "View and complete")
                )
         ),
         // ensure those links aren't legit