diff --git a/detection-rules/attachment_html_smuggling_unescape.yml b/detection-rules/attachment_html_smuggling_unescape.yml
index b4ccb82ceb2..7096c7d740b 100644
--- a/detection-rules/attachment_html_smuggling_unescape.yml
+++ b/detection-rules/attachment_html_smuggling_unescape.yml
@@ -13,7 +13,10 @@ source: |
             or .file_extension in~ $file_extensions_common_archives
             or .file_type == "html"
           )
-          and any(file.explode(.), any(.scan.javascript.identifiers, . == "unescape"))
+          and any(file.explode(.),
+                  any(.scan.javascript.identifiers, . == "unescape")
+                  or any(.scan.strings.strings, regex.contains(., "document.write.{0,10}unescape"))
+          )
   )
 attack_types:
   - "Credential Phishing"