diff --git a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml
index ddc55dae8..02f923c55 100644
--- a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml
+++ b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/01"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/05/24"
 
 [rule]
 author = ["Elastic"]
@@ -31,10 +31,10 @@ tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps",
 type = "threshold"
 
 query = '''
-event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure
+event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and 
+event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:failure
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -51,4 +51,3 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
 [rule.threshold]
 field = ["source.ip"]
 value = 25
-