diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml
index 911d91397be..a3181b43bd8 100644
--- a/detection-rules/body_business_email_compromise_unsolicited.yml
+++ b/detection-rules/body_business_email_compromise_unsolicited.yml
@@ -30,14 +30,16 @@ source: |
   
   // negate "via" senders via dmarc authentication or gmail autoforwards
   and (
-    (
-      not any(distinct(headers.hops, .authentication_results.dmarc is not null),
+    not (
+      any(distinct(headers.hops, .authentication_results.dmarc is not null),
           strings.ilike(.authentication_results.dmarc, "pass")
-          or not any([headers.return_path.email],
-                 strings.ilike(headers.return_path.local_part, "*+caf_=*")
+          or (
+            not any([headers.return_path.email],
+                    strings.ilike(headers.return_path.local_part, "*+caf_=*")
+            )
+            and strings.contains(sender.display_name, "via")
           )
       )
-      and strings.contains(sender.display_name, "via")
     )
   )