diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml
index 24184577d11..56a1937f0b1 100644
--- a/detection-rules/link_credential_phishing.yml
+++ b/detection-rules/link_credential_phishing.yml
@@ -10,16 +10,15 @@ source: |
           and beta.linkanalysis(.).credphish.confidence in ("medium", "high")
   )
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
+    not profile.by_sender().solicited
     or (
       profile.by_sender().any_messages_malicious_or_spam
       and not profile.by_sender().any_false_positives
     )
   )
-
+  
   // negate highly trusted sender domains unless they fail DMARC authentication
-  and
-  (
+  and (
     (
       sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
@@ -30,6 +29,7 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
+  and not profile.by_sender().any_false_positives
 
 attack_types:
   - "Credential Phishing"