diff --git a/rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml
index 35e9261d0..7fabb6ae2 100644
--- a/rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml
+++ b/rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml
@@ -9,6 +9,7 @@ references:
   - https://www.ietf.org/rfc/rfc2821.txt
 author: frack113
 date: 2022/01/07
+modified: 2022/02/16
 logsource:
   category: network_connection
   product: windows
@@ -20,11 +21,14 @@ detection:
         - 465
         - 2525
     Initiated: 'true'
-  filter:
+  filter_clients:
     Image|endswith:
       - \thunderbird.exe
       - \outlook.exe
-  condition: selection and not filter
+  filter_mailserver:
+    Image|startswith:
+      - 'C:\Program Files\Microsoft\Exchange Server\'
+  condition: selection and not 1 of filter*
 falsepositives:
   - Other SMTP tools
 level: medium
diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
index bb2ad3d52..964d1ce9b 100644
--- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
+++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 references:
   - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
 date: 2019/09/12
-modified: 2022/01/19
+modified: 2022/02/16
 logsource:
   product: windows
   category: pipe_created
@@ -21,6 +21,8 @@ detection:
       - '\WINDOWS\System32\wsmprovhost.exe'
       - '\Windows\system32\dsac.exe'
       - '\Windows\system32\wbem\wmiprvse.exe'
+      - '\ForefrontActiveDirectoryConnector.exe'
+      - 'c:\windows\system32\inetsrv\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers
   filter2:
     Image: null
   filter3: # Microsoft SQL Server\130\Tools\
@@ -28,6 +30,12 @@ detection:
       - ':\Program Files'
       - '\Microsoft SQL Server\'
     Image|endswith: '\Tools\Binn\SQLPS.exe'
+  filter4:
+    Image|startswith: 
+      - 'C:\Program Files\Citrix\'
+      - 'C:\Program Files\Microsoft\Exchange Server\'
+  filter_commandline:
+    CommandLine
   condition: selection and not 1 of filter*
 fields:
   - ComputerName
diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
index 5622ab6cb..b87404977 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
@@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: test
 date: 2019/08/11
-modified: 2021/10/16
+modified: 2022/02/16
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
@@ -19,7 +19,9 @@ detection:
         ContextInfo: '*'
     filter:
         ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
-    condition: selection and not filter        
+    filter_citrix:
+        ContextInfo|contains: 'ConfigSyncRun.exe'
+    condition: selection and not 1 of filter*
 falsepositives:
     - Programs using PowerShell directly without invocation of a dedicated interpreter
     - MSP Detection Searcher