diff --git a/detection-rules/spam_blob_core_from_new_dom.yml b/detection-rules/spam_blob_core_from_new_dom.yml
deleted file mode 100644
index 17b20d91c06..00000000000
--- a/detection-rules/spam_blob_core_from_new_dom.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-name: "Spam: Link to blob.core.windows.net from new domain (<30d)"
-description: "This rule detects messages containing a link to blob.core.windows.net from a sender domain less than 30 days old. There is a single recipient present, but the recipient is a random email address, and not someone at the organization."
-type: "rule"
-severity: "medium"
-source: |
-  type.inbound
-  and length(recipients.to) == 1
-  and any(recipients.to, .email.domain.root_domain not in $org_domains)
-  and network.whois(sender.email.domain).days_old < 30
-  and length(body.links) < 3
-  and any(body.links,
-          strings.ends_with(.href_url.domain.subdomain, "blob.core")
-          and .href_url.domain.root_domain == "windows.net"
-  )
-  and (
-    not profile.by_sender().solicited
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
-  )
-  and not profile.by_sender().any_false_positives
-attack_types:
-  - "Spam"
-tactics_and_techniques:
-  - "Free subdomain host"
-detection_methods:
-  - "Header analysis"
-  - "URL analysis"
-  - "Sender analysis"
-id: "a09b3800-50b6-5ea9-b96e-367b6c8b5125"
-testing_pr: 1537
-testing_sha: 0871ba7393875ed59802ed4603c7699cf260fa70