diff --git a/detection-rules/credential_phishing_generic_document_sharing.yml b/detection-rules/credential_phishing_generic_document_sharing.yml
index 050e2476b43..0ce8cd026b6 100644
--- a/detection-rules/credential_phishing_generic_document_sharing.yml
+++ b/detection-rules/credential_phishing_generic_document_sharing.yml
@@ -8,7 +8,15 @@ severity: "medium"
 source: |
   type.inbound
   // exclude if it's a reply to an existing conversation
-  and not length(body.previous_threads) > 0
+  and (
+    not length(body.previous_threads) > 0
+    // still match if self-sender BCC pattern
+    or (
+      length(recipients.to) == 1
+      and length(recipients.cc) == 0
+      and sender.email.email == recipients.to[0].email.email
+    )
+  )
   and (
     // subject contains document sharing language
     regex.icontains(subject.base,
diff --git a/detection-rules/evasion_excessive_image_padding_cred_theft.yml b/detection-rules/evasion_excessive_image_padding_cred_theft.yml
index c8a7b1a78b2..e99e2818302 100644
--- a/detection-rules/evasion_excessive_image_padding_cred_theft.yml
+++ b/detection-rules/evasion_excessive_image_padding_cred_theft.yml
@@ -24,6 +24,10 @@ source: |
     or regex.icontains(body.html.raw,
                        '(?:<div\s+style="[^"]+"\s*[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
     )
+    // class-attributed div-br blocks repeated 20+ times (Outlook elementToProof pattern)
+    or regex.icontains(body.html.raw,
+                       '(?:<div\s+class="[^"]*"[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
+    )
     // p-nbsp blocks repeated 25+ times
     or regex.icontains(body.html.raw,
                        '(?:<p>\s*(?:&nbsp;|&#160;)\s*</p>\s*){25,}'