diff --git a/rules/macos/execution_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
similarity index 82%
rename from rules/macos/execution_suspicious_mac_ms_office_child_process.toml
rename to rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
index 154833e02..69d364790 100644
--- a/rules/macos/execution_suspicious_mac_ms_office_child_process.toml
+++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
@@ -53,12 +53,16 @@ process where event.type in ("start", "process_started") and
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-id = "T1193"
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.001"
 name = "Spearphishing Attachment"
-reference = "https://attack.mitre.org/techniques/T1193/"
+reference = "https://attack.mitre.org/techniques/T1566/001/"
 
 
 [rule.threat.tactic]
-id = "TA0002"
-name = "Execution"
-reference = "https://attack.mitre.org/tactics/TA0002/"
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"