diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml
index 1dd3b7045..1793757b7 100644
--- a/rules/macos/credential_access_mitm_localhost_webproxy.toml
+++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/05"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/09"
 
 [rule]
 author = ["Elastic"]
@@ -27,8 +27,11 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.category:process and event.type:start and
- process.name:networksetup and process.args:("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl")
+event.category : process and event.type : start and
+ process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and
+ not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or
+                                  "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or
+                                  "/usr/libexec/xpcproxy")
 '''