diff --git a/detection-rules/brand_impersonation_procore.yml b/detection-rules/brand_impersonation_procore.yml
index c72ddccd95b..ab90273f694 100644
--- a/detection-rules/brand_impersonation_procore.yml
+++ b/detection-rules/brand_impersonation_procore.yml
@@ -14,7 +14,7 @@ source: |
     or (
       strings.iends_with(sender.display_name, 'via Procore')
       and any(body.current_thread.links,
-              .href_url.domain.root_domain == "blogspot.com"
+              .href_url.domain.root_domain in $free_subdomain_hosts
       )
     )
   )
@@ -22,7 +22,7 @@ source: |
     sender.email.domain.root_domain in ("procore.com", "procoretech.com")
     and coalesce(headers.auth_summary.dmarc.pass, false)
   )
-
+  
   // negating legit replies/forwards
   and not (
     (