diff --git a/detection-rules/attachment_sus_employee_doc.yml b/detection-rules/attachment_sus_employee_doc.yml
index 2bd1426334a..051133c778d 100644
--- a/detection-rules/attachment_sus_employee_doc.yml
+++ b/detection-rules/attachment_sus_employee_doc.yml
@@ -4,56 +4,60 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
+  // NOTE: This rule is designed for these values to match/sync subject.base and file names
   and (
     // the subject contains pay related items
     (
-      strings.icontains(subject.subject, 'salary')
-      or regex.icontains(subject.subject, '\bpay(?:out|roll|\b)')
-      or strings.icontains(subject.subject, 'remuneration')
-      or strings.icontains(subject.subject, 'bonus')
-      or strings.icontains(subject.subject, 'incentive')
-      or strings.icontains(subject.subject, 'merit')
-      or strings.icontains(subject.subject, 'handbook')
-      or strings.icontains(subject.subject, 'benefits')
-      or strings.icontains(subject.subject, 'earnings')
+      strings.icontains(subject.base, 'salary')
+      or regex.icontains(subject.base, '\bpay(?:out|roll|\b)')
+      or strings.icontains(subject.base, 'remuneration')
+      or strings.icontains(subject.base, 'bonus')
+      or strings.icontains(subject.base, 'incentive')
+      or strings.icontains(subject.base, 'merit\b')
+      or strings.icontains(subject.base, 'handbook')
+      or strings.icontains(subject.base, 'benefits')
+      or strings.icontains(subject.base, 'earnings')
+      or strings.icontains(subject.base, 'contract')
+      or regex.icontains(subject.base, 'empl[o0]yment')
     )
     and (
-      strings.icontains(subject.subject, 'review')
-      or strings.icontains(subject.subject, 'breakdown')
-      or strings.icontains(subject.subject, 'Access Your')
-      or strings.icontains(subject.subject, 'evaluation')
-      or regex.icontains(subject.subject, 'eval\b')
-      or strings.icontains(subject.subject, 'assessment')
-      or strings.icontains(subject.subject, 'appraisal')
-      or strings.icontains(subject.subject, 'feedback')
-      or strings.icontains(subject.subject, 'performance')
-      or strings.icontains(subject.subject, 'adjustment')
-      or strings.icontains(subject.subject, 'qualification')
-      or strings.icontains(subject.subject, 'increase')
-      or strings.icontains(subject.subject, 'raise')
-      or strings.icontains(subject.subject, 'change')
-      or strings.icontains(subject.subject, 'modification')
-      or strings.icontains(subject.subject, 'distribution')
-      or strings.icontains(subject.subject, 'details')
-      or regex.icontains(subject.subject, 'revis(?:ed|ion)')
-      or regex.icontains(subject.subject, 'amend(?:ed|ment)')
-      or regex.icontains(subject.subject, 'update(?:d| to)')
-      or strings.icontains(subject.subject, 'plan')
-      or strings.icontains(subject.subject, 'notification')
+      strings.icontains(subject.base, 'review')
+      or strings.icontains(subject.base, 'breakdown')
+      or strings.icontains(subject.base, 'Access Your')
+      or strings.icontains(subject.base, 'evaluation')
+      or regex.icontains(subject.base, 'eval\b')
+      or strings.icontains(subject.base, 'assessment')
+      or strings.icontains(subject.base, 'appraisal')
+      or strings.icontains(subject.base, 'feedback')
+      or strings.icontains(subject.base, 'performance')
+      or strings.icontains(subject.base, 'adjustment')
+      or strings.icontains(subject.base, 'qualification')
+      or strings.icontains(subject.base, 'increase')
+      or strings.icontains(subject.base, 'raise')
+      or strings.icontains(subject.base, 'change')
+      or strings.icontains(subject.base, 'modification')
+      or strings.icontains(subject.base, 'distribution')
+      or strings.icontains(subject.base, 'details')
+      or regex.icontains(subject.base, 'revis(?:ed|ion)')
+      or regex.icontains(subject.base, 'amend(?:ed|ment)')
+      or regex.icontains(subject.base, 'update(?:d| to)')
+      or strings.icontains(subject.base, 'plan')
+      or strings.icontains(subject.base, 'notification')
     )
   )
   and 0 < length(attachments) <= 3
   and any(attachments,
-          .file_extension in ("doc", "docx", "docm", "pdf")
+          .file_extension in ("doc", "docx", "docm", "pdf", "pptx")
           and (
             strings.icontains(.file_name, 'salary')
             or strings.icontains(.file_name, 'compensation')
             or regex.icontains(.file_name, '\bpay(?:roll|\b)')
             or strings.icontains(.file_name, 'bonus')
             or strings.icontains(.file_name, 'incentive')
-            or strings.icontains(.file_name, 'merit')
+            or strings.icontains(.file_name, 'merit\b')
             or strings.icontains(.file_name, 'handbook')
             or strings.icontains(.file_name, 'benefits')
+            or regex.icontains(.file_name, 'empl[o0]yment')
           )
           and (
             strings.icontains(.file_name, 'review')
@@ -75,7 +79,10 @@ source: |
             or regex.icontains(.file_name, 'amend(?:ed|ment)')
             or regex.icontains(.file_name, 'adjust(?:ed|ment)')
             or regex.icontains(.file_name, 'update(?:d| to)')
-            or regex.icontains(.file_name, '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}')
+            or regex.icontains(.file_name,
+                               '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}'
+            )
+            or strings.icontains(.file_name, 'contract')
             or (
               // file name contains recipient's email
               any(recipients.to,