diff --git a/detection-rules/credential_phishing_esign_document_notification.yml b/detection-rules/credential_phishing_esign_document_notification.yml
index 3a37d9c7c62..8995b237dea 100644
--- a/detection-rules/credential_phishing_esign_document_notification.yml
+++ b/detection-rules/credential_phishing_esign_document_notification.yml
@@ -72,7 +72,18 @@ source: |
     or (regex.icontains(body.html.inner_text, 'Document') and length(body.html.inner_text) < 300)
     // common greetings via email.local_part
     or any(recipients.to,
-           strings.icontains(body.current_thread.text, .email.local_part)
+           // use count to ensure the email address is not part of a disclaimer
+           strings.icount(body.current_thread.text, .email.local_part) > 
+           // sum allows us to add more logic as needed
+           sum([
+                 strings.icount(body.current_thread.text,
+                                strings.concat('was sent to ', .email.email)
+                 ),
+                 strings.icount(body.current_thread.text,
+                                strings.concat('intended for ', .email.email)
+                 )
+               ]
+           )
     )
     // HR impersonation
     or strings.ilike(sender.display_name, "HR", "H?R", "*Human Resources*")