diff --git a/rules_building_block/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml
similarity index 95%
rename from rules_building_block/defense_evasion_masquerading_communication_apps.toml
rename to rules/windows/defense_evasion_masquerading_communication_apps.toml
index fe0a3313f..aac5dce5c 100644
--- a/rules_building_block/defense_evasion_masquerading_communication_apps.toml
+++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml
@@ -5,7 +5,6 @@ maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2023/10/13"
-bypass_bbr_timing = true
 
 [rule]
 author = ["Elastic"]
@@ -18,12 +17,11 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Masquerading as Communication Apps"
-risk_score = 21
+risk_score = 47
 rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923"
-severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"]
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''