diff --git a/detection-rules/spam_image_hidden_element.yml b/detection-rules/spam_image_hidden_element.yml
index f75e545b38f..8aa9b7568d6 100644
--- a/detection-rules/spam_image_hidden_element.yml
+++ b/detection-rules/spam_image_hidden_element.yml
@@ -53,10 +53,10 @@ source: |
       or 
       // the hidden span/div is before the body/meta
       regex.contains(body.html.raw,
-                     '<(?:span|div)[^\>]*style=\x22[^\x22]*\s*(?:display\s*\x3a\s*none|visibility\s*\x3a\s*hidden)\x3b[^\x22]*\x22(?:\s*\w+=\"\w+\")*>\s*\<(?:body|meta)'
+                     '<(?:span|div)[^\>]*style=\x22[^\x22]*\s*(?:display\s*\x3a\s*none|visibility\s*\x3a\s*hidden)\x3b[^\x22]*\x22(?:\s*\w+=\"\w+\")*>\s*\<(?:body|meta|(?:<?div[^\>]+\>\s*(?:[^\<]*|<[a-z]+>\s*)<\/div>\s*){2,})'
       )
       // the length of the inner text is greather than or equal to 10x more than the display text
-      // this attempts to generically cover multiple methods of hidding text
+      // this attempts to generically cover multiple methods of hiding text
       or length(body.html.inner_text) >= (length(body.html.display_text) * 10)
     )
   )