diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml
index 389ace3143e..dc83ca0cb39 100644
--- a/detection-rules/impersonation_benefits_enrollment.yml
+++ b/detection-rules/impersonation_benefits_enrollment.yml
@@ -17,7 +17,9 @@ source: |
                     'healthcare (choice|selection|opt.?in)',
                     '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
                     'dependent (coverage|verification)',
-                    '(health|dental|vision|insurance|medical) enrol{1,2}ment'
+                    '(health|dental|vision|insurance|medical) enrol{1,2}ment',
+                    'employee\srewards',
+                    'allowance\s(adjustment|modification)'
     )
     or regex.icontains(body.current_thread.text,
                        'benefit(s)? (plan|choice|selection|deadline|period)',
@@ -71,6 +73,28 @@ source: |
                   )
           )
       )
+    ),
+    any(filter(attachments,
+               .file_type in $file_types_images
+               or .file_extension in $file_extensions_macros
+               or .file_type == "pdf"
+        ),
+        any(filter(file.explode(.),
+                   .scan.qr.type == "url"
+                   and any(recipients.to,
+                           .email.domain.valid
+                           and (
+                             strings.icontains(..scan.qr.url.url, .email.email)
+                             or any(beta.scan_base64(..scan.qr.url.url,
+                                                     format="url"
+                                    ),
+                                    strings.icontains(., ..email.email)
+                             )
+                           )
+                   )
+            ),
+            .scan.qr.url.url is not null
+        )
     )
   )
   // negate replies