diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index d45d5fa596f..2eaa5c00728 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -15,7 +15,9 @@ source: | ) ) or any(ml.nlu_classifier(body.current_thread.text).intents, - .name in ("callback_scam") and .confidence == "high" + .name in ("callback_scam") + and .confidence == "high" + and length(body.current_thread.text) < 1500 ) ) and not (