diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml
index 5f349d2dc..e583f123c 100644
--- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml
+++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml
@@ -1,14 +1,14 @@
 title: Microsoft 365 - Suspicious inbox forwarding
 id: 6c220477-0b5b-4b25-bb90-66183b4089e8
 status: experimental
-description: Detects when a Microsoft Cloud App Security reported 
+description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
 author: Austin Songer @austinsonger
 date: 2021/08/22
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: 
+    category: ThreatManagement
     service: m365
 detection:
     selection:
@@ -17,8 +17,8 @@ detection:
         status: success
     condition: selection
 falsepositives:
-    - 
-level: medium
+    - Unknown
+level: low
 tags:
-    - attack.initial_access
-    - 
\ No newline at end of file
+    - attack.exfiltration
+    - attack.t1020
\ No newline at end of file