diff --git a/rules/web/web_cve_2022_27925_exploit.yml b/rules/web/web_cve_2022_27925_exploit.yml
index 71f031bfa..fd0030e5a 100644
--- a/rules/web/web_cve_2022_27925_exploit.yml
+++ b/rules/web/web_cve_2022_27925_exploit.yml
@@ -17,15 +17,12 @@ logsource:
 detection:
     selection_servlet:
         cs-method: 'POST'
-        c-uri|contains: '/service/extension/backup/mboximport?'
-    selection_uri:
+        c-uri|contains: '/service/extension/backup/mboximport\?'
         c-uri|contains|all:
             - 'account-name'
             - 'ow'
             - 'no-switch'
             - 'append'
-        cs-cookie: 'ZM_AUTH_TOKEN'
-    selection_status:
         sc-status:
             - '401'
             - '200'
@@ -33,7 +30,7 @@ detection:
         cs-uri|contains: '/zimbraAdmin/'
         cs-uri|endswith: '.jsp'
         cs-status|contains: '200'
-    condition: all of selection* or selection_shell
+    condition: all of selection_servlet or selection_shell
 falsepositives:
     - Unknown
 level: medium