diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
index 0070ab55275..9ff86750df6 100644
--- a/detection-rules/impersonation_amazon.yml
+++ b/detection-rules/impersonation_amazon.yml
@@ -25,6 +25,11 @@ source: |
       and sender.email.domain.root_domain in $free_email_providers
     )
   )
+  // negate listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in~ (
     'amazon.com',
     'amazon.com.au',