diff --git a/detection-rules/impersonation_netflix.yml b/detection-rules/impersonation_netflix.yml
index 7e5bfb019df..8fe824e1023 100644
--- a/detection-rules/impersonation_netflix.yml
+++ b/detection-rules/impersonation_netflix.yml
@@ -10,10 +10,27 @@ authors:
 source: |
   type.inbound
   and (
-    regex.icontains(strings.replace_confusables(sender.display_name), '[nm]etf[li][il]x')
-    or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'netflix') <= 1
-    or regex.icontains(strings.replace_confusables(sender.email.domain.domain), '[nm]etf[li][il]x')
-    or regex.icontains(strings.replace_confusables(sender.display_name), 'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}')
+    // obfuscated sender display name 
+    (
+      sender.display_name is not null
+      and (
+        regex.icontains(strings.replace_confusables(sender.display_name),
+                        '[nm]etf[li][il]x'
+        )
+        or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
+                                'netflix'
+        ) <= 1
+        or regex.icontains(strings.replace_confusables(sender.display_name),
+                           'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}'
+        )
+      )
+    )
+    // obfuscated sender email
+    or regex.icontains(strings.replace_confusables(sender.email.domain.domain),
+                       '[nm]etf[li][il]x'
+    )
+  
+    // unusual recipient pattern + logo detect + credphish dispoistion
     or (
       (
         length(recipients.to) == 0
@@ -23,17 +40,26 @@ source: |
         )
       )
       and any(ml.logo_detect(file.message_screenshot()).brands,
-              .name == "Netflix"
-              and .confidence in ("medium", "high")
-              and (
-                any(body.links,
-                    ml.link_analysis(.).credphish.disposition == "phishing"
-                    and ml.link_analysis(.).credphish.confidence in (
-                      "medium",
-                      "high"
-                    )
-                )
-              )
+              .name == "Netflix" and .confidence in ("medium", "high")
+      )
+      and (
+        any(body.links,
+            ml.link_analysis(.).credphish.disposition == "phishing"
+            and ml.link_analysis(.).credphish.confidence in ("medium", "high")
+        )
+      )
+    )
+    // logo detect + nlu (no link analysis)
+    or (
+      any(ml.logo_detect(file.message_screenshot()).brands, .name == "Netflix")
+      and any(ml.nlu_classifier(body.current_thread.text).intents,
+              .name == "cred_theft"
+      )
+      and any(ml.nlu_classifier(body.current_thread.text).entities,
+              .name == "financial"
+      )
+      and any(ml.nlu_classifier(body.current_thread.text).topics,
+              .name == "Customer Service and Support"
       )
     )
   )
@@ -57,7 +83,6 @@ source: |
     'netflix.zendesk.com' // netflix actual support
   )
   and sender.email.email not in $recipient_emails
-
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: