diff --git a/host-interaction/process/create/create-process-suspended.yml b/host-interaction/process/create/create-process-suspended.yml
index e321877f..43e7ade8 100644
--- a/host-interaction/process/create/create-process-suspended.yml
+++ b/host-interaction/process/create/create-process-suspended.yml
@@ -4,11 +4,15 @@ rule:
     namespace: host-interaction/process/create
     authors:
       - william.ballenthin@mandiant.com
+      - mehunhoff@google.com
     scopes:
       static: basic block
       dynamic: call
     mbc:
       - Process::Create Process::Create Suspended Process [C0017.003]
+    references:
+      - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/
+      - https://learn.microsoft.com/en-us/windows/win32/procthread/process-creation-flags#flags
     examples:
       - Practical Malware Analysis Lab 03-03.exe_:0x4010EA
   features:
@@ -16,6 +20,7 @@ rule:
       - or:
         - number: 0x08000004 = CREATE_NO_WINDOW | CREATE_SUSPENDED
         - number: 4 = CREATE_SUSPENDED
+        - number: 2 = DEBUG_ONLY_THIS_PROCESS
       - or:
         - api: kernel32.CreateProcess
         - api: advapi32.CreateProcessAsUser