diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml
index 321d563872d..69e07db82b6 100644
--- a/detection-rules/attachment_office365_image.yml
+++ b/detection-rules/attachment_office365_image.yml
@@ -1,11 +1,12 @@
 name: "Attachment: Microsoft 365 Credential Phishing"
 description: |
-  Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
+  Looks for messages with an image attachment that contains words related to Microsoft, Office 365, and passwords.
 type: "rule"
 severity: "high"
 source: |
   type.inbound
   and length(filter(attachments, .file_type not in $file_types_images)) == 0
+  and 0 < length(attachments) < 4
   and (
     any(attachments,
         .file_type in $file_types_images