diff --git a/detection-rules/body_advance_fee_new_sender.yml b/detection-rules/body_advance_fee_new_sender.yml
index 35ce0ca2aa7..963d4def4a9 100644
--- a/detection-rules/body_advance_fee_new_sender.yml
+++ b/detection-rules/body_advance_fee_new_sender.yml
@@ -23,17 +23,23 @@ source: |
     )
     or sender.email.domain.tld in $suspicious_tlds
   )
-  and any(ml.nlu_classifier(body.current_thread.text).tags,
-          .name == "advance_fee" and .confidence in ("medium", "high")
-  )
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
+    any(ml.nlu_classifier(body.current_thread.text).tags,
+        .name == "advance_fee" and .confidence in ("medium", "high")
+    )
     or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
+      length(body.current_thread.text) < 200
+      and regex.icontains(body.current_thread.text,
+                          '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
+      )
     )
   )
-
+  and (
+      not profile.by_sender().solicited
+      or profile.by_sender().any_messages_malicious_or_spam
+    )
+  
+    and not profile.by_sender().any_false_positives
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques: