diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
index 6bb839e781f..0a2ae633dcf 100644
--- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -10,10 +10,11 @@ source: |
     any(attachments,
         (.file_type in $file_types_images or .file_type == "pdf")
         and any(file.explode(.),
-
-                // exclude images taken with mobile cameras
+  
+                // exclude images taken with mobile cameras and screenshots from android
                 not any(.scan.exiftool.fields,
-                        .key == "Model" and strings.istarts_with(.value, "Iphone")
+                        .key == "Model"
+                        or .key == "Software" and strings.starts_with(.value, "Android")
                 )
                 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                         .name == "callback_scam" and .confidence == "high"
@@ -37,6 +38,7 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
+
 attack_types:
   - "Callback Phishing"
 tactics_and_techniques: