diff --git a/rules/detection/high/o365.json b/rules/detection/high/o365.json
index f286280..ad9863d 100644
--- a/rules/detection/high/o365.json
+++ b/rules/detection/high/o365.json
@@ -67,7 +67,7 @@
   },
   {
     "title": "O365 Activity from Tor IP Address",
-    "expression": "o365.audit.Operation!='UserLoginFailed' && contains(to_string(\"cybersift.threat_info\".threats), 'Tor')",
+    "expression": "o365.audit.Operation!='UserLoginFailed' && contains(to_string("cybersift.threat_info".threats), 'Tor')",
     "severity": "high",
     "type": "o365"
   },