diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
index cc36c841f99..6e9c4b6160f 100644
--- a/detection-rules/attachment_docusign_image_suspicious_links.yml
+++ b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -39,13 +39,17 @@ source: |
                  )
           )
         )
-        and not any(file.explode(.),
-                    (
-                      strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
-                      and not strings.ilike(.scan.ocr.raw,
-                                            "*DocuSign Envelope ID*"
-                      )
+      and not any(file.explode(.),
+                  (
+                    strings.ilike(.scan.ocr.raw,
+                                          "*DocuSign Envelope ID*"
                     )
+                    or 2 of (
+                        strings.ilike(.scan.ocr.raw, "*DocuSigned By*"),
+                        strings.ilike(.scan.ocr.raw, "*Offering ID*"),
+                        strings.ilike(.scan.ocr.raw, "*Document ID*")
+                    )
+                  )
         )
     )