diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml
index 09bf0edac..1445ed4f3 100644
--- a/rules/proxy/proxy_ursnif_malware.yml
+++ b/rules/proxy/proxy_ursnif_malware.yml
@@ -4,12 +4,15 @@ status: stable
 description: Detects download of Ursnif malware done by dropper documents.
 author: Thomas Patzke
 date: 2019/12/19
-modified: 2020/09/03
+modified: 2020/11/28
 logsource:
   category: proxy
 detection:
   selection:
-    c-uri|endswith: '/*.php?l=*.cab'
+    c-uri|contains|all: 
+      - '/'
+      - '.php?l='
+    c-uri|endswith: '.cab'
     sc-status: 200
   condition: selection
 fields: