diff --git a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
index 849592d655b..92325b3de87 100644
--- a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
+++ b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
@@ -7,25 +7,29 @@ source: |
   type.inbound
   and any(attachments,
           (
-            .file_extension in~ ("html", "htm", "shtml", "dhtml")
+            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
             or (
               .file_extension is null
               and .file_type == "unknown"
               and .content_type == "application/octet-stream"
-              and .size < 100000000
             )
             or .file_extension in~ $file_extensions_common_archives
             or .file_type == "html"
+            or .content_type == "text/html"
           )
           and any(file.explode(.),
                   // suspicious identifiers
-                  any(.scan.javascript.identifiers, strings.like(., "atob", "decrypt"))
-                  // Recipients address found in javascript
-                  and any(recipients.to,
-                          any(..scan.javascript.strings, strings.icontains(., ..email.email))
+                  any([.scan.strings.strings, .scan.javascript.identifiers],
+                      any(., strings.like(., "*atob*", "*decrypt*"))
                   )
           )
-  ) 
+          // Recipients address found in javascript
+          and any(file.explode(.),
+                  any(recipients.to,
+                      any(..scan.javascript.strings, strings.icontains(., ..email.email))
+                  )
+          )
+  )
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: