diff --git a/detection-rules/abuse_exacttarget_sender_domain.yml b/detection-rules/abuse_exacttarget_sender_domain.yml
index ac0f7083cfe..25630d28b5e 100644
--- a/detection-rules/abuse_exacttarget_sender_domain.yml
+++ b/detection-rules/abuse_exacttarget_sender_domain.yml
@@ -1,5 +1,5 @@
-name: "Service Abuse: ExactTarget with suspicious sender domain"
-description: "Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, or domains containing UTF-8 encoding characters."
+name: "Service Abuse: ExactTarget with suspicious sender indicators"
+description: "Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name."
 type: "rule"
 severity: "high"
 source: |
@@ -12,6 +12,9 @@ source: |
     )
     or sender.email.domain.root_domain == "awsapps.com"
     or strings.icontains(sender.email.domain.domain, '?utf-8')
+    or regex.icontains(sender.display_name,
+                       '.*\|.*(Manager|Careers|Recruitment|Specialist|Global)'
+    )
   )
 
 attack_types: