diff --git a/detection-rules/sender_ad_distinguished_name.yml b/detection-rules/sender_ad_distinguished_name.yml
index d040c7f9e98..7b90ace8472 100644
--- a/detection-rules/sender_ad_distinguished_name.yml
+++ b/detection-rules/sender_ad_distinguished_name.yml
@@ -4,9 +4,12 @@ description: |
 type: "rule"
 severity: "medium"
 source: |
-  type.inbound
-  and regex.icontains(sender.display_name, '\b(EX|LABS|OU|CN|EXCHANGE)(=|/)')
-  and sender.email.domain.root_domain not in $org_domains
+    type.inbound
+    and (
+      regex.icontains(sender.display_name, '\b(EX|LABS|OU|CN|EXCHANGE)(=|/)')
+      or strings.icontains(sender.display_name, "/O=EXCHANGELABS")
+    )
+    and sender.email.domain.root_domain not in $org_domains
 tags:
   - "Suspicious sender"
 attack_types: