diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
index 3d8736fe9..306a153b0 100644
--- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
+++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
@@ -38,7 +38,7 @@ detection:
       - 'NS'
       - 'ns'
       - 'MX'
-      - 'MX'
+      - 'mx'
   exclude_responses:
     answers|endswith: '\\x00'
   exclude_netbios: