diff --git a/insights/headers/phishing_simulation_knowbe4.yml b/insights/headers/phishing_simulation_knowbe4.yml
index 6f581178694..12b8516779c 100644
--- a/insights/headers/phishing_simulation_knowbe4.yml
+++ b/insights/headers/phishing_simulation_knowbe4.yml
@@ -13,11 +13,19 @@ source: |
     or (
       length(headers.ips) == 0
       and length(headers.hops) == 1
-      and any(headers.hops, any(.fields, .name == "X-PHISHTEST"))
-      and headers.return_path.domain.root_domain == "knowbe4.com"
-      and not sender.email.domain.root_domain == "knowbe4.com"
-      and any(headers.hops,
-              any(.fields, strings.icontains(.value, "injector.psm.knowbe4.com"))
+      and any(headers.hops, any(.fields, strings.starts_with(.name, "X-PHISH")))
+      and (
+        (
+          headers.return_path.domain.root_domain == "knowbe4.com"
+          and any(headers.hops,
+                  any(.fields,
+                      strings.icontains(.value, "injector.psm.knowbe4.com")
+                  )
+          )
+        )
+        or any(headers.hops,
+               any(.fields, strings.icontains(.value, "gmailapi.google.com"))
+        )
       )
     )
   )