diff --git a/detection-rules/impersonation_microsoft_credential_theft.yml b/detection-rules/impersonation_microsoft_credential_theft.yml
index 06b0e693ebb..36f64134c9e 100644
--- a/detection-rules/impersonation_microsoft_credential_theft.yml
+++ b/detection-rules/impersonation_microsoft_credential_theft.yml
@@ -4,12 +4,30 @@ type: "rule"
 severity: "high"
 source: |
   type.inbound
-  and length(attachments) == 0
+  and (
+    (
+      length(attachments) > 0
+      and all(attachments,
+              .file_type in $file_types_images or .file_type == "pdf"
+      )
+    )
+    or length(attachments) == 0
+  )
   and any(ml.logo_detect(beta.message_screenshot()).brands,
           strings.starts_with(.name, "Microsoft")
   )
-  and any(ml.nlu_classifier(body.current_thread.text).intents,
-          .name == "cred_theft" and .confidence in ("medium", "high")
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence in ("medium", "high")
+    )
+    or (
+      length(body.current_thread.text) == 0
+      and any(file.explode(beta.message_screenshot()),
+              any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                  .name == "cred_theft" and .confidence in ("medium", "high")
+              )
+      )
+    )
   )
   and (
     not (