diff --git a/detection-rules/impersonation_netflix.yml b/detection-rules/impersonation_netflix.yml
index dd55f6f1b43..36d3af75070 100644
--- a/detection-rules/impersonation_netflix.yml
+++ b/detection-rules/impersonation_netflix.yml
@@ -21,12 +21,14 @@ source: |
           .href_url.domain.tld not in ("com", "org", "net", "ms") and .href_url.domain.valid == true
       )
     )
-    or 2 of (
-      strings.icontains(body.current_thread.text, "restart"),
-      strings.icontains(body.current_thread.text, "cancelled"),
-      strings.icontains(body.current_thread.text, "membership"),
-      strings.icontains(body.current_thread.text, "expir"),
-      strings.icontains(body.current_thread.text, "payment")
+    or (
+      2 of (
+        strings.icontains(body.current_thread.text, "restart"),
+        strings.icontains(body.current_thread.text, "cancelled"),
+        strings.icontains(body.current_thread.text, "membership"),
+        strings.icontains(body.current_thread.text, "expir"),
+        strings.icontains(body.current_thread.text, "payment")
+      )
       and length(body.links) > 0
       and not any(body.links,
                   .href_url.domain.root_domain in ("netflix.com", "dvd.com", "netflixfamily.com")