diff --git a/detection-rules/attachment_html_emoji_map.yml b/detection-rules/attachment_html_emoji_map.yml
deleted file mode 100644
index 8cc50b7da6c..00000000000
--- a/detection-rules/attachment_html_emoji_map.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-name: "Attachment: HTML With Emoji-to-Character Map"
-description: "Detects inbound messages containing HTML attachments with an unusually high number of emojis in a list, sent from untrusted or suspicious senders who lack an established sending history or have previous malicious behavior."
-type: "rule"
-severity: "high"
-source: |
- type.inbound
- and any(attachments,
- (
- .file_extension in~ ("html", "htm", "shtml", "dhtml")
- or .file_type == "html"
- or .content_type in ("application/octet-stream", "text/html")
- )
- and regex.icount(file.parse_html(.).raw,
- '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}].{0,10},'
- ) > 10
- )
- and (
- (
- profile.by_sender().prevalence in ("new", "outlier")
- and not profile.by_sender().solicited
- )
- or profile.by_sender().any_messages_malicious_or_spam
- )
- and not profile.by_sender().any_false_positives
-
- // negate highly trusted sender domains unless they fail DMARC authentication
- and (
- (
- sender.email.domain.root_domain in $high_trust_sender_root_domains
- and not headers.auth_summary.dmarc.pass
- )
- or sender.email.domain.root_domain not in $high_trust_sender_root_domains
- )
-attack_types:
- - "Credential Phishing"
-tactics_and_techniques:
- - "Evasion"
- - "HTML smuggling"
- - "Impersonation: Brand"
- - "Scripting"
- - "Social engineering"
-detection_methods:
- - "File analysis"
- - "HTML analysis"
- - "Javascript analysis"
- - "Sender analysis"
-id: "3119d086-13b9-549c-85b9-8117beaded4a"
-testing_pr: 2135
-testing_sha: 3efaf45861c7ed62e0a030864f25121ce565f099