diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml
index 2fcc2f974c0..fb5b741a301 100644
--- a/detection-rules/impersonation_employee_payroll_fraud.yml
+++ b/detection-rules/impersonation_employee_payroll_fraud.yml
@@ -6,10 +6,12 @@ type: "rule"
 severity: "high"
 source: |
   type.inbound
-
   // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
   and strings.contains(sender.display_name, " ")
-  and sender.display_name in~ $org_display_names
+  and (
+    sender.display_name in~ $org_display_names
+    or subject.base in~ $org_display_names
+  )
   and length(attachments) == 0
   and length(body.links) < 10
   and length(body.current_thread.text) < 800