diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml
index 5a6e88d96d7..e6d10a35549 100644
--- a/detection-rules/attachment_callback_phish_with_pdf.yml
+++ b/detection-rules/attachment_callback_phish_with_pdf.yml
@@ -45,7 +45,7 @@ source: |
                     strings.icontains(.scan.ocr.raw, "cancel"),
                     strings.icontains(.scan.ocr.raw, "renew"),
                     strings.icontains(.scan.ocr.raw, "refund"),
-                    regex.icontains(.scan.ocr.raw, '\+\d')
+                    regex.icontains(.scan.ocr.raw, '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})')
                   )
           )