diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml
index 09618605c28..1ff0e5961c8 100644
--- a/detection-rules/link_credential_phishing_secure_message.yml
+++ b/detection-rules/link_credential_phishing_secure_message.yml
@@ -23,11 +23,15 @@ source: |
   // negate legitimate message senders
   and (
     sender.email.domain.root_domain not in ("protectedtrust.com")
-    and any(body.links,
-            .href_url.domain.root_domain != sender.email.domain.root_domain
-    )
+    and any(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
     // Negate known secure mailer(s)
     and not all(body.links, .href_url.domain.root_domain in ("mimecast.com", "cisco.com"))
+    and any(headers.hops,
+            .index == 0
+            and not any(.fields,
+                        strings.contains(.value, 'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"')
+            )
+    )
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")