diff --git a/detection-rules/headers_replyto_new_domain_nlu_request.yml b/detection-rules/headers_replyto_new_domain_nlu_request.yml
index c26b16bc096..65b1bd2945b 100644
--- a/detection-rules/headers_replyto_new_domain_nlu_request.yml
+++ b/detection-rules/headers_replyto_new_domain_nlu_request.yml
@@ -9,14 +9,11 @@ source: |
   and any(headers.reply_to,
           // mismatched reply-to and sender domain
           .email.domain.root_domain != sender.email.domain.root_domain
-
           // newly registered reply-to domain
           and beta.whois(.email.domain).days_old <= 30
   )
-
   // request is being made
   and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
-
   // there's financial/urgency OR a tag of medium/high confidence
   and (
     any(ml.nlu_classifier(body.current_thread.text).entities, .name in ("financial", "urgency"))
@@ -24,13 +21,8 @@ source: |
            .name is not null and .confidence in ("medium", "high")
     )
   )
-  and (
-    profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
-  )
+  and not profile.by_sender().any_false_positives
+  
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques: