diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
index a350fde02..d2fbc37c0 100644
--- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
+++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2021/03/09"
 
 [rule]
 author = ["Elastic"]
@@ -47,7 +47,18 @@ process where event.type in ("start", "process_started") and
    "mv", 
    "base64", 
    "launchctl"
- )
+  ) and
+  /* noisy false positives related to product version discovery and office errors reporting */
+  not process.args:
+    (
+      "ProductVersion",
+      "hw.model",
+      "ioreg",
+      "ProductName",
+      "ProductUserVisibleVersion",
+      "ProductBuildVersion",
+      "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting"
+    )
 '''
 
 
@@ -68,4 +79,3 @@ reference = "https://attack.mitre.org/techniques/T1566/001/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-