diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml
index 58d0cb83a00..754a0655810 100644
--- a/detection-rules/impersonation_dhl.yml
+++ b/detection-rules/impersonation_dhl.yml
@@ -10,6 +10,7 @@ source: |
   type.inbound
   and (
     regex.icontains(sender.display_name, '\bDHL\b')
+    or regex.contains(sender.display_name, '\bD.{0,2}H.{0,2}L.{0,2}\b')
     or (
       strings.ilike(sender.email.domain.domain, '*DHL*')
       and length(sender.email.domain.domain) < 15