diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml
index ee27416be..ac7b39921 100644
--- a/rules/windows/image_load/image_load_side_load_wwlib.yml
+++ b/rules/windows/image_load/image_load_side_load_wwlib.yml
@@ -1,9 +1,11 @@
 title: Potential WWlib.DLL Sideloading
 id: e2e01011-5910-4267-9c3b-4149ed5479cf
 status: experimental
-description: Detects potential DLL sideloading of "wwlib.dll"
+description: Detects potential DLL sideloading of "wwlib.dll" 
 references:
     - https://twitter.com/WhichbufferArda/status/1658829954182774784
+    - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
+    - https://securelist.com/apt-luminousmoth/103332/
 author: X__Junior (Nextron Systems)
 date: 2023/05/18
 tags:
@@ -17,11 +19,15 @@ logsource:
 detection:
     selection:
         ImageLoaded|endswith: '\wwlib.dll'
-    filter:
+    filter_main_path:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft Office\'
+            - 'C:\Program Files\Microsoft Office\'
+        Image|endswith: '\winword.exe'
         ImageLoaded|startswith:
             - 'C:\Program Files (x86)\Microsoft Office\'
             - 'C:\Program Files\Microsoft Office\'
-    condition: selection and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium