diff --git a/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml b/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml
index 9c0d121d14b..3a1c28448a0 100644
--- a/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml
+++ b/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml
@@ -20,7 +20,7 @@ source: |
     (
       length(subject.subject) > 20
       and regex.icontains(subject.subject,
-                          '(time.{0,4}sheet)|(employ|complete|update(?:d| to)).{0,30}(benefit|handbook|comp\b|compensation|salary|\bpay(?:roll)?\b|policy|conduct|acknowl|PTO|vacation|assess|eval)|(HR|Human Resources).{0,5}ADM[il]N',
+                          '(time.{0,4}sheet)|(employ|complete|update(?:d| to| regarding our)).{0,30}(benefit|handbook|comp\b|compensation|salary|\bpay(?:roll)?\b|policy|policies|conduct|acknowl|PTO|vacation|assess|eval)|(HR|Human Resources).{0,5}ADM[il]N',
                           // shorten the distance to 3 or less words for the word "review"
                           // special handling of benefits
                           '\breview\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,3}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)',
@@ -65,10 +65,11 @@ source: |
   and (
     any(body.links,
         regex.icontains(.display_text,
-                        '((verify|view|click|download|goto|keep|Vιew|release|access|open|allow|deny).{0,10}(request|here|report|attachment|current|download|fax|file|document|message|same|doc|access)s?)'
+                        '(?:verify|view|click|download|goto|keep|Vιew|release|access|open|allow|deny|new).{0,10}(?:request|here|report|attachment|current|download|fax|file|document|message|same|doc|access|polic(?:y|ie))s?'
         )
         and not strings.ilike(.display_text, "*unsub*")
-        and not strings.ilike(.href_url.url, "*privacy-policy*")
+        and not strings.ilike(.display_text, "*privacy?policy*")
+        and not strings.ilike(.href_url.url, "*privacy?policy*")
         and not strings.ilike(.display_text, "*REGISTER*")
   
         // from a low reputation link
@@ -190,9 +191,8 @@ source: |
     or (
       profile.by_sender().any_messages_malicious_or_spam
       and profile.by_sender().any_messages_benign
-      and (
-        not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass
-      )
+      and not headers.auth_summary.dmarc.pass
+      and not headers.auth_summary.spf.pass
     )
   )
   // negate instances where proofpoint sends a review of a reported message via analyzer