diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml
index 5351f1fb9..eac455d9f 100644
--- a/rules/macos/persistence_suspicious_calendar_modification.toml
+++ b/rules/macos/persistence_suspicious_calendar_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/27"
 
 [rule]
 author = ["Elastic"]
@@ -31,12 +31,13 @@ query = '''
 event.category:file and event.action:modification and
   file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and
   process.executable:
-  (* and not 
+  (* and not
     (
-      /System/Library/* or 
-      /System/Applications/Calendar.app/Contents/MacOS/* or 
-      /usr/libexec/xpcproxy or 
-      /sbin/launchd or 
+      /System/Library/* or
+      /System/Applications/Calendar.app/Contents/MacOS/* or
+      /System/Applications/Mail.app/Contents/MacOS/Mail or
+      /usr/libexec/xpcproxy or
+      /sbin/launchd or
       /Applications/*
     )
   )