diff --git a/detection-rules/brand_impersonation_robinhood.yml b/detection-rules/brand_impersonation_robinhood.yml
index 2b7970e2c60..226759b7bee 100644
--- a/detection-rules/brand_impersonation_robinhood.yml
+++ b/detection-rules/brand_impersonation_robinhood.yml
@@ -17,10 +17,16 @@ source: |
     )
     or strings.icontains(body.current_thread.text, 'The Robinhood Team')
     or regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*\s*Robinhood')
+    or strings.icontains(body.current_thread.text, "(888) 344-3957")
+    or strings.icontains(body.current_thread.text, "Financial LLC (Member SIPC)")
+    or strings.icontains(body.current_thread.text,
+                         "Securities, LLC (Member SIPC)"
+    )
     or 2 of (
       strings.icontains(body.current_thread.text, "Robinhood"),
       regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'),
-      strings.icontains(body.current_thread.text, "Menlo Park, CA 97095")
+      strings.icontains(body.current_thread.text, "Menlo Park, CA 97095"),
+      regex.icontains(body.current_thread.text, 'Email ID:?')
     )
     or (
       strings.icontains(sender.display_name, 'Robinhood')
@@ -29,9 +35,15 @@ source: |
           regex.icontains(body.current_thread.text, 'Location:?'),
           regex.icontains(body.current_thread.text, 'Time:'),
           regex.icontains(body.current_thread.text, 'Device:?'),
-          regex.icontains(body.current_thread.text, 'IP Address:?')
+          regex.icontains(body.current_thread.text, 'IP Address:?'),
+          regex.icontains(body.current_thread.text, 'Date:'),
+          regex.icontains(body.current_thread.text, 'Region:?'),
+          regex.icontains(body.current_thread.text, 'App:?'),
         )
         or strings.icontains(body.current_thread.text, "new passkey added")
+        or strings.icontains(body.current_thread.text,
+                             "Security support phone number:"
+        )
       )
     )
     or (
@@ -67,9 +79,16 @@ source: |
   )
   // negate newsletters and webinars
   and not any(ml.nlu_classifier(body.current_thread.text).topics,
-              .name in ("Newsletters and Digests", "Events and Webinars")
+              .name in (
+                "Newsletters and Digests",
+                "Health and Wellness",
+                "Events and Webinars"
+              )
               and .confidence == "high"
   )
+  and not any(ml.nlu_classifier(body.current_thread.text).intents,
+              .name == "benign" and .confidence == "high"
+  )
   and not (
     sender.email.domain.root_domain in (
       "robinhood.com",
@@ -80,7 +99,6 @@ source: |
     )
     and coalesce(headers.auth_summary.dmarc.pass, false)
   )
-
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: