diff --git a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
index 9ed5bcec4..a9d84520e 100644
--- a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
+++ b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/06/09"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,8 @@ tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps",
 type = "threshold"
 
 query = '''
-event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure
+event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and 
+event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:failure
 '''
 
 
@@ -50,4 +51,3 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
 [rule.threshold]
 field = ["user.id"]
 value = 10
-