diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml
index 4cf9ed06d0b..60f0fe56787 100644
--- a/detection-rules/link_credential_phishing_secure_message.yml
+++ b/detection-rules/link_credential_phishing_secure_message.yml
@@ -8,26 +8,28 @@ source: |
   and any(ml.nlu_classifier(body.current_thread.text).intents,
           .name == "cred_theft" and .confidence == "high"
   )
-
+  
   // ----- other suspicious signals here -----
   and strings.icontains(body.html.display_text, "secure message")
-
+  
   // todo: automated display name / human local part
   // todo: suspicious link (unfurl click trackers)
-
+  
   // ----------
-
+  
   // has at least 1 link
   and length(body.links) > 0
-
+  
   // negate legitimate message senders
   and (
     sender.email.domain.root_domain not in ("protectedtrust.com")
     and any(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
     )
+    // Negate known secure mailer(s)
+    and not all(body.links, .href_url.domain.root_domain in ("mimecast.com"))
   )
-
+  
   // first-time sender
   and (
     (