diff --git a/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml b/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml
index 0d8e1ec6d05..af908a3fe56 100644
--- a/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml
+++ b/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml
@@ -13,13 +13,10 @@ source: |
   )
   and external.spam is null
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
     or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
     )
   )
 attack_types:
@@ -29,4 +26,4 @@ detection_methods:
   - "Sender analysis"
 id: "801a5470-0498-55ba-a590-4cb105038e95"
 testing_pr: 668
-testing_sha: f715f1823ea70bb122765225d74d001fc406357c
+testing_sha: ca483e4ba7cadd9dea3b5be7636d9e8ab14fa026