diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml
index cba66eb4..5dd0581f 100644
--- a/rules/windows/process_creation/win_susp_msoffice.yml
+++ b/rules/windows/process_creation/win_susp_msoffice.yml
@@ -19,7 +19,8 @@ detection:
     Image: 
       - '*\powerpnt.exe'
       - '*\winword.exe'
-    CommandLine: '* "http*'
+      - '*\excel.exe'
+    CommandLine: '* http*'
   condition: selection
 level: medium
 falsepositives: