diff --git a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
index 92325b3de87..b57a8a5a500 100644
--- a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
+++ b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
@@ -28,8 +28,15 @@ source: |
                   any(recipients.to,
                       any(..scan.javascript.strings, strings.icontains(., ..email.email))
                   )
+  
+                  // Negating Cisco Secure Email Encryption
+                  and not any(.scan.javascript.strings,
+                              strings.contains(., "Cisco Registered Envelope Service")
+                              and not strings.contains(., "https://res.cisco.com:443")
+                  )
           )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: