diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
index b9945d1ef..1bbc4c24e 100644
--- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
+++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.category:file and not event.type:deletion and file.name:~$*.zip
+event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos
 '''
 
 [[rule.threat]]