diff --git a/detection-rules/credential_theft_cloud_storage_impersonation.yml b/detection-rules/credential_theft_cloud_storage_impersonation.yml
index b69b6cc5d57..f5330289c0c 100644
--- a/detection-rules/credential_theft_cloud_storage_impersonation.yml
+++ b/detection-rules/credential_theft_cloud_storage_impersonation.yml
@@ -17,7 +17,8 @@ source: |
                       "storage.{0,50}details",
                       "storage.{0,50}quot",
                       "(?:mailbox|cloud|account).{0,50}disabled",
-                      "(?:email|cloud|total).{0,50}storage"
+                      "(?:email|cloud|total).{0,50}storage",
+                      "(?:account|cloud).{0,50}(?:suspended?|at risk)"
   )
   and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
   and (
@@ -26,10 +27,6 @@ source: |
         .display_text is null
         and .display_url.url is null
         and .href_url.domain.domain not in $tenant_domains
-        and (
-          .href_url.domain.root_domain in $free_file_hosts
-          or .href_url.domain.root_domain == "beehiiv.com"
-        )
     )
   )