diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml
index c5549895fd3..4b3daf7f348 100644
--- a/detection-rules/attachment_any_html_unsolicited.yml
+++ b/detection-rules/attachment_any_html_unsolicited.yml
@@ -12,11 +12,8 @@ source: |
   type.inbound
   and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
   and (
-    not profile.by_sender().solicited
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    not profile.by_sender().any_false_positives
+    and not profile.by_sender().solicited
   )
 tags:
   - "Attack surface reduction"