diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml
index 575e76fa9..1690d51b5 100644
--- a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml
+++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -16,10 +16,10 @@ detection:
     selection:
         EventID: 7
         Image:
-            - '*winword.exe*'
-            - '*powerpnt.exe*'
-            - '*excel.exe*'
-            - '*outlook.exe*'
+            - '*\winword.exe*'
+            - '*\powerpnt.exe*'
+            - '*\excel.exe*'
+            - '*\outlook.exe*'
         ImageLoaded:
             - '*C:\Windows\assembly\*'
     condition: selection