diff --git a/detection-rules/attachment_svg_embedded_js.yml b/detection-rules/attachment_svg_embedded_js.yml
index 1bb935303aa..59a59593ed0 100644
--- a/detection-rules/attachment_svg_embedded_js.yml
+++ b/detection-rules/attachment_svg_embedded_js.yml
@@ -11,14 +11,17 @@ severity: "medium"
 source: |
   type.inbound
   and any(attachments,
-          (.file_extension =~ "svg" or .file_extension in $file_extensions_common_archives)
-          and any(file.explode(.),
-                  .file_extension == "svg"
-                  and "script" in~ .scan.xml.tags
-                  // unclear if this is necessary, but it's been observed
-                  // in all payloads we've seen, so we'll include it
-                  // as an extra FP precaution
-                  and any(.scan.strings.strings, strings.icontains(., "CDATA"))
+          (
+            .file_extension =~ "svg"
+            or .file_extension in $file_extensions_common_archives
+          )
+          and strings.ilike(file.parse_text(.).text,
+                            "*onload*",
+                            "*window.location.href*",
+                            "*onerror*",
+                            "*CDATA*",
+                            "*<script>*",
+                            "*</script>*"
           )
   )
   and (