diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
index b5b1f1a0c7f..019994e3efc 100644
--- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -5,6 +5,7 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
+  and length(attachments) < 5
   and (
     any(attachments,
         (.file_type in $file_types_images or .file_type == "pdf")