diff --git a/detection-rules/credential_phishing_one_drive_impersonation.yml b/detection-rules/credential_phishing_one_drive_impersonation.yml
index dcf4f9f028c..d469c1d9d78 100644
--- a/detection-rules/credential_phishing_one_drive_impersonation.yml
+++ b/detection-rules/credential_phishing_one_drive_impersonation.yml
@@ -42,7 +42,9 @@ source: |
              )
       )
     )
-    or regex.imatch(body.current_thread.text, '[0o]ne\s?dr[il1]ve.*')
+    or regex.imatch(strings.replace_confusables(body.current_thread.text),
+                    '[0o]ne\s?dr[il1]ve.*'
+    )
     // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
     or (
       regex.icontains(strings.replace_confusables(subject.subject),
@@ -114,7 +116,6 @@ source: |
     and strings.contains(sender.display_name, "via")
   )
   and not profile.by_sender().any_messages_benign
-
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: