diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml
index 4eacdf8a..01d06076 100644
--- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml
+++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml
@@ -4,7 +4,8 @@ status: experimental
 description: Detects file creation patterns noticable during the exploitation of CVE-2021-40444
 references:
     - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
-author: Florian Roth
+    - https://twitter.com/vanitasnk/status/1437329511142420483?s=21
+author: Florian Roth, Sittikorn S
 date: 2021/09/10
 logsource:
     product: windows
@@ -14,10 +15,14 @@ detection:
         Image: '\winword.exe'
         TargetFilename|endswith: '.cab'
         TargetFilename|contains: '\Windows\INetCache'
-    condition: selection
+    selection_inf:
+        Image: '\winword.exe'
+        TargetFilename|contains: 
+        - '\AppData\Local\Temp\'
+        - '.inf'
+    condition: selection or selection_inf
 fields:
     - TargetFilename
 falsepositives:
     - unknown
 level: critical
-