diff --git a/detection-rules/body_advance_fee_new_sender.yml b/detection-rules/body_advance_fee_new_sender.yml
deleted file mode 100644
index 91979c150a4..00000000000
--- a/detection-rules/body_advance_fee_new_sender.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-name: "Body: Advance Fee Fraud (AFF) from Freemail providers or Suspicious TLDs"
-description: |
-  Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised
-  future returns, such as lottery scams, inheritance payouts, and investment opportunities.
-  This rule identifies messages from Freemail domains or suspicious TLDS, including those
-  with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect
-  AFF language in their contents.
-type: "rule"
-severity: "medium"
-source: |
-  type.inbound
-  and (
-    sender.email.domain.domain in $free_email_providers
-    or (
-      length(headers.reply_to) > 0
-      and all(headers.reply_to,
-              (
-                .email.domain.root_domain in $free_email_providers
-                or .email.domain.tld in $suspicious_tlds
-              )
-              and .email.email != sender.email.email
-      )
-    )
-    or sender.email.domain.tld in $suspicious_tlds
-  )
-  and (
-    any(ml.nlu_classifier(body.current_thread.text).tags,
-        .name == "advance_fee" and .confidence in ("medium", "high")
-    )
-    or (
-      length(body.current_thread.text) < 200
-      and regex.icontains(body.current_thread.text,
-                          '(donation|inheritence|\$\d,\d\d\d\,\d\d\d|lottery)'
-      )
-    )
-  )
-  and (
-    profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
-  )
-attack_types:
-  - "BEC/Fraud"
-tactics_and_techniques:
-  - "Social engineering"
-detection_methods:
-  - "Content analysis"
-  - "Header analysis"
-  - "Natural Language Understanding"
-  - "Sender analysis"
-id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"
-testing_pr: 922
-testing_sha: cfbd6ecc6b94416e898a284b2601d838eb91b83a
diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml
deleted file mode 100644
index 5afcbac04a5..00000000000
--- a/detection-rules/link_qr_code_suspicious_language_fts.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: "Link: QR Code with suspicious language (first-time sender) "
-description: |
-  This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains.
-  Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies,
-  the rule is conditioned to check the image for any suspicious terms.
-type: "rule"
-severity: "medium"
-source: "type.inbound\n\n// check image attachments for QR code, will want to add message.screenshot functionality here when it's ready\n// and length(attachments) < 10\nand any(attachments,\n        (.file_type in $file_types_images or .file_type == \"pdf\")\n        and any(file.explode(.),\n                .scan.qr.type == \"url\"\n\n                // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains\n                and any(recipients.to,\n                        strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid\n                )\n                and .scan.qr.url.domain.root_domain not in $org_domains\n        )\n)\n\n// NLU has identified cred_theft language with high confidence\nand (\n  any(ml.nlu_classifier(body.current_thread.text).intents,\n      .name == \"cred_theft\" and .confidence == \"high\"\n  )\n  or \n  // the attachment contains suspicious strings\n  (\n    any(attachments,\n        (.file_type in $file_types_images or .file_type == \"pdf\")\n        and any(file.explode(.),\n                any(.scan.strings.strings,\n                    regex.icontains(.,\n                                    '(\\b2fa\\b|\\bQ.?R\\.?\\s?\\b|MFA|Muti[ -]?Factor Auth(entication)?)'\n                    )\n                )\n        )\n    )\n  )\n)\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand\n(\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and (\n      any(distinct(headers.hops, .authentication_results.dmarc is not null),\n          strings.ilike(.authentication_results.dmarc, \"*fail\")\n      )\n    )\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
-attack_types:
-  - "Credential Phishing"
-tactics_and_techniques:
-  - "Impersonation: Brand"
-  - "QR code"
-  - "Social engineering"
-detection_methods:
-  - "Content analysis"
-  - "Computer Vision"
-  - "Natural Language Understanding"
-  - "QR code analysis"
-  - "Sender analysis"
-  - "URL analysis"
-id: "25a84d1c-9578-53e3-98a7-ca9b43abb28b"
-testing_pr: 924
-testing_sha: 1af78f3da97994f513685c86c3414b18510e352a