diff --git a/sublime_sec_ical_render_bender.yaml b/sublime_sec_ical_render_bender.yaml
new file mode 100644
index 0000000..7fff6cd
--- /dev/null
+++ b/sublime_sec_ical_render_bender.yaml
@@ -0,0 +1,16 @@
+name: iCal Render Bender Detection
+severity: medium
+reference: "https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a"
+source:
+  type.inbound
+  and any(attachments, .file_extension in (".ical", ".ics", ".ifb", ".icalendar")
+  and any(file.explode(.), 
+    any(.scan.yara.matches,
+      .name == "sus_calendar_attachment")
+      )
+  )
+  and headers.return_path.email != sender.email.email
+  and any(attachments, .content_type == "text/calendar")
+tags: 
+  - "Social Engineering"
+  - "Pretext"
diff --git a/example.yara b/sus_calendar_attachment.yar
similarity index 61%
rename from example.yara
rename to sus_calendar_attachment.yar
index 09cf613..194dfcc 100644
--- a/example.yara
+++ b/sus_calendar_attachment.yar
@@ -1,4 +1,3 @@
-// https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a
 rule Email_iCal_Spoof_Detection {
     meta:
         author = "Nate Subra"
@@ -6,27 +5,22 @@ rule Email_iCal_Spoof_Detection {
         description = "Detects emails with iCal attachments where ORGANIZER is a target domain but sender is not."
         severity = "MEDIUM"
         version = "1.2"
+	reference = "https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a"
 
     strings:
-        // Define a variable for the target domains
-        // This regex group will be used in other regex strings
-		// Populate this with the list of authorized domains that you expect icals to be forwarded or sent from from
-        $target_domains_regex = "(natesubra|example)\\.com"
-
         // String to identify an iCal attachment by its Content-Type header
-        $ical_content_type = "Content-Type: text/calendar" nocase ascii wide
+        $ical_content_type = "Content-Type: text/calendar" nocase ascii
 
         // String to identify the beginning of iCal content
-        $ical_begin = "BEGIN:VCALENDAR" nocase ascii wide
+        $ical_begin = "BEGIN:VCALENDAR" nocase ascii
 
         // Regex to find 'ORGANIZER' field with the specific domains within iCal content
         // This accounts for various formats of the ORGANIZER field, including common CN (Common Name)
-        // We use the $target_domains_regex variable here
-        $ical_organizer_domain = /ORGANIZER(?:;CN=[^:]+)?:mailto:[^@]+@#target_domains_regex/ nocase ascii wide
+        $ical_organizer_domain = /ORGANIZER;(CN=[^:]+)?:mailto:[^@]+@(natesubra|example)\.com/ nocase ascii
 
         // Regex to find the 'From' header with the specific domains
         // We use the $target_domains_regex variable here
-        $from_header_domain = /From:.*<[^@]+@#target_domains_regex>/ nocase ascii wide
+        $from_header_domain = /From:.*<[^@]+@(natesubra|example)\.com>/ nocase ascii
 
     condition:
         // Ensure it's likely an iCal attachment by checking content type or begin tag