diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
index e5291bd86..cee32a74a 100644
--- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
+++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
@@ -2,7 +2,7 @@ title: MS Office Product Spawning Exe in User Dir
 status: experimental
 description: Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
 references:
-    - sha256: 23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
+    - sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
     - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign 
 tags:
     - attack.execution