diff --git a/detection-rules/impersonation_microsoft_credential_theft.yml b/detection-rules/impersonation_microsoft_credential_theft.yml
index 177f9380113..f460e43d31d 100644
--- a/detection-rules/impersonation_microsoft_credential_theft.yml
+++ b/detection-rules/impersonation_microsoft_credential_theft.yml
@@ -122,7 +122,10 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
-  and not profile.by_sender().any_messages_benign
+  and not (
+    profile.by_sender().any_messages_benign
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
 
 attack_types:
   - "Credential Phishing"