diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml
index 1c509c258c0..16fb9df2d5f 100644
--- a/detection-rules/body_business_email_compromise_new_sender.yml
+++ b/detection-rules/body_business_email_compromise_new_sender.yml
@@ -10,7 +10,12 @@ source: |
   )
   // negating legit replies
   and not (
-    strings.istarts_with(subject.subject, "RE:")
+    (
+      strings.istarts_with(subject.subject, "RE:")
+      // out of office auto-reply
+      // the NLU model will handle these better natively soon
+      or strings.istarts_with(subject.subject, "Automatic reply:")
+    )
     and (
       length(headers.references) > 0
       or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml
index 4cf9ed06d0b..60f0fe56787 100644
--- a/detection-rules/link_credential_phishing_secure_message.yml
+++ b/detection-rules/link_credential_phishing_secure_message.yml
@@ -8,26 +8,28 @@ source: |
   and any(ml.nlu_classifier(body.current_thread.text).intents,
           .name == "cred_theft" and .confidence == "high"
   )
-
+  
   // ----- other suspicious signals here -----
   and strings.icontains(body.html.display_text, "secure message")
-
+  
   // todo: automated display name / human local part
   // todo: suspicious link (unfurl click trackers)
-
+  
   // ----------
-
+  
   // has at least 1 link
   and length(body.links) > 0
-
+  
   // negate legitimate message senders
   and (
     sender.email.domain.root_domain not in ("protectedtrust.com")
     and any(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
     )
+    // Negate known secure mailer(s)
+    and not all(body.links, .href_url.domain.root_domain in ("mimecast.com"))
   )
-
+  
   // first-time sender
   and (
     (
diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
index 0df96e25fe3..a5eb16d114e 100644
--- a/detection-rules/link_credential_phishing_voicemail_language.yml
+++ b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -25,7 +25,11 @@ source: |
       all(body.links,
           .href_url.domain.root_domain != sender.email.domain.root_domain
           and .href_url.domain.root_domain not in $org_domains
-          and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com")
+          and .href_url.domain.root_domain not in (
+            "unitelvoice.com",
+            "googleapis.com",
+            "dialmycalls.com"
+          )
       )
     ),
     (
@@ -34,6 +38,20 @@ source: |
     ),
   )
   and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com")
+  
+  // negating legit replies
+  and not (
+    (
+      strings.istarts_with(subject.subject, "RE:")
+      // out of office auto-reply
+      // the NLU model will handle these better natively soon
+      or strings.istarts_with(subject.subject, "Automatic reply:")
+    )
+    and (
+      length(headers.references) > 0
+      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+    )
+  )
   and (
     (
       sender.email.domain.root_domain in $free_email_providers
diff --git a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
index e91911a9a39..a96f0c4381d 100644
--- a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
+++ b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
@@ -6,11 +6,13 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  // All attachments are images
-  and length(attachments) > 0
-  and all(attachments, .file_type in $file_types_images)
+  // All attachments are images or 0 attachments
+  and (
+    (length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
+    or length(attachments) == 0
+  )
   and sender.email.domain.root_domain not in $org_domains
-
+  
   // not a reply
   and (
     length(headers.references) == 0
@@ -52,7 +54,7 @@ source: |
     (
       any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
     ),
-
+  
     // White font is found in html raw
     (
       length(body.html.display_text) < 500
@@ -60,7 +62,7 @@ source: |
                           '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
       )
     )
-
+  
     // domains using .app matching this pattern observed abusing google's redirect
     or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$')
   )
diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml
new file mode 100644
index 00000000000..7fcb7a130ba
--- /dev/null
+++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml
@@ -0,0 +1,61 @@
+name: "Credential Phishing: Suspicious language, link, recipients and other indicators"
+description: |
+  The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  
+  // no recipients defined
+  and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
+  and length(recipients.cc) == 0
+  and length(recipients.bcc) == 0
+  
+  and any(body.links,
+  
+          // suspicious link
+          // we've particularly seen 1drv.ms abused
+          // if using the full list causes FPs, we can reduce the 
+          // scope to a hard-coded list or add exclusions
+          (
+            .href_url.domain.domain in $free_file_hosts
+            or .href_url.domain.root_domain in $free_subdomain_hosts
+          )
+  
+          // link text is in all caps
+          and regex.match(.display_text, "[A-Z ]+")
+  )
+  
+  // any confidence cred_theft classification
+  and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft")
+  
+  // 'org' entity is in all caps
+  and any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "org" and regex.match(.text, "[A-Z ]+")
+  )
+  
+  // subject is in all caps
+  and regex.match(subject.subject, "[A-Z ]+")
+  
+  // first-time sender
+  and (
+    (
+      sender.email.domain.root_domain in $free_email_providers
+      and sender.email.email not in $sender_emails
+    )
+    or (
+      sender.email.domain.root_domain not in $free_email_providers
+      and sender.email.domain.domain not in $sender_domains
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "URL analysis"
+id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3"
diff --git a/detection-rules/attachment_pdf_file_with_embedded_content.yml b/discovery-rules/attachment_pdf_file_with_embedded_content.yml
similarity index 100%
rename from detection-rules/attachment_pdf_file_with_embedded_content.yml
rename to discovery-rules/attachment_pdf_file_with_embedded_content.yml
diff --git a/signals/links/link_appspot_in_url_path_distinct.yml b/signals/links/link_appspot_in_url_path_distinct.yml
index 9259f5420c3..d00ffa94e69 100644
--- a/signals/links/link_appspot_in_url_path_distinct.yml
+++ b/signals/links/link_appspot_in_url_path_distinct.yml
@@ -1,4 +1,4 @@
-'name': "Link: Appspot in URL Path Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links, strings.ilike(.href_url.path, "*appspot.com*")))
+name: "Link: Appspot in URL Path Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links, strings.ilike(.href_url.path, "*appspot.com*")), .href_url.url))
diff --git a/signals/links/link_free_file_host_distinct.yml b/signals/links/link_free_file_host_distinct.yml
index d2c06ca5aff..9bcf4195b1e 100644
--- a/signals/links/link_free_file_host_distinct.yml
+++ b/signals/links/link_free_file_host_distinct.yml
@@ -1,4 +1,4 @@
-'name': "Link: Free File Host Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links, .href_url.domain.domain in $free_file_hosts))
+name: "Link: Free File Host Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links, .href_url.domain.domain in $free_file_hosts), .href_url.url))
diff --git a/signals/links/link_free_subdomain_host_distinct.yml b/signals/links/link_free_subdomain_host_distinct.yml
index f76c1871058..d59d6345997 100644
--- a/signals/links/link_free_subdomain_host_distinct.yml
+++ b/signals/links/link_free_subdomain_host_distinct.yml
@@ -1,8 +1,8 @@
-'name': "Link: Free Subdomain Host Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links,
+name: "Link: Free Subdomain Host Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links,
       .href_url.domain.root_domain in $free_subdomain_hosts
       and .href_url.domain.subdomain is not null
       and .href_url.domain.subdomain != "www"
-  ))
+  ), .href_url.url))
diff --git a/signals/links/link_freenom_tld_distinct.yml b/signals/links/link_freenom_tld_distinct.yml
index 96be991225b..3610f00c3e4 100644
--- a/signals/links/link_freenom_tld_distinct.yml
+++ b/signals/links/link_freenom_tld_distinct.yml
@@ -1,4 +1,7 @@
-'name': "Link: Freenom TLD Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links, .href_url.domain.tld in ("tk", "ml", "ga", "cf", "gq")))
+name: "Link: Freenom TLD Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links, .href_url.domain.tld in ("tk", "ml", "ga", "cf", "gq")),
+                .href_url.url
+       )
+  )
diff --git a/signals/links/link_google_open_redirect_distinct.yml b/signals/links/link_google_open_redirect_distinct.yml
index 40330e11f95..3f22fe8b759 100644
--- a/signals/links/link_google_open_redirect_distinct.yml
+++ b/signals/links/link_google_open_redirect_distinct.yml
@@ -1,5 +1,4 @@
-'name': "Link: Google Open Redirect Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links,
-    regex.icontains(.href_url.url, "https?://(www.)?google.[a-zA-Z]{2,}/url\\?q=https?://.+")))
+name: "Link: Google Open Redirect Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links, regex.icontains(.href_url.url, "https?://(www.)?google.[a-zA-Z]{2,}/url\\?q=https?://.+")), .href_url.url))
\ No newline at end of file
diff --git a/signals/links/link_low_reputation_distinct.yml b/signals/links/link_low_reputation_distinct.yml
index 43959030b5d..2a862d6fb2b 100644
--- a/signals/links/link_low_reputation_distinct.yml
+++ b/signals/links/link_low_reputation_distinct.yml
@@ -1,4 +1,4 @@
-'name': "Link: Low Reputation Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links, .href_url.domain.root_domain not in $tranco_1m))
+name: "Link: Low Reputation Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links, .href_url.domain.root_domain not in $tranco_1m), .href_url.url))
diff --git a/signals/links/link_mimatched_distinct.yml b/signals/links/link_mimatched_distinct.yml
index 5505135f9f2..c54815c5f21 100644
--- a/signals/links/link_mimatched_distinct.yml
+++ b/signals/links/link_mimatched_distinct.yml
@@ -1,4 +1,4 @@
-'name': "Link: Mismatch Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links, .mismatched))
+name: "Link: Mismatch Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links, .mismatched), .href_url.url))
diff --git a/signals/links/link_suspicious_tld_distinct.yml b/signals/links/link_suspicious_tld_distinct.yml
index c32122e5107..a58ea167640 100644
--- a/signals/links/link_suspicious_tld_distinct.yml
+++ b/signals/links/link_suspicious_tld_distinct.yml
@@ -1,4 +1,4 @@
-'name': "Link: Suspicious TLD Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links, .href_url.domain.tld in $suspicious_tlds))
+name: "Link: Suspicious TLD Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links, .href_url.domain.tld in $suspicious_tlds), .href_url.url))
diff --git a/signals/links/link_url_shortener_distinct.yml b/signals/links/link_url_shortener_distinct.yml
index 07ed3b2e666..130f7d81145 100644
--- a/signals/links/link_url_shortener_distinct.yml
+++ b/signals/links/link_url_shortener_distinct.yml
@@ -1,4 +1,4 @@
-'name': "Link: URL Shortener Unique Count"
-'type': "query"
-'source': |
-  length(distinct(body.links, .href_url.domain.root_domain in $url_shorteners))
+name: "Link: URL Shortener Unique Count"
+type: "query"
+source: |
+  length(distinct(filter(body.links, .href_url.domain.root_domain in $url_shorteners), .href_url.url))