From e1e4a33eff94748ef03daa010e536d565272a44b Mon Sep 17 00:00:00 2001
From: MSAdministrator <10687261+MSAdministrator@users.noreply.github.com>
Date: Wed, 20 May 2026 09:08:12 -0500
Subject: [PATCH 1/2] Update attachment_adobe_image_lure.yml

---
 detection-rules/attachment_adobe_image_lure.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection-rules/attachment_adobe_image_lure.yml b/detection-rules/attachment_adobe_image_lure.yml
index 85abe73c278..260cbc2967e 100644
--- a/detection-rules/attachment_adobe_image_lure.yml
+++ b/detection-rules/attachment_adobe_image_lure.yml
@@ -102,6 +102,11 @@ source: |
     // exclude solicited senders
     not profile.by_sender_email().solicited
     or profile.by_sender_email().prevalence == "new"
+    // exclude solicited senders where prevelance is rare
+    or (
+      profile.by_sender_email().prevalence == "rare"
+      and profile.by_sender_email().solicited
+    )
     or length(recipients.to) == 0
     // domains for recipients to/cc must be valid
     or (

From d933d28e56977a4ce3cfdf96dba0607009bea32c Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Wed, 20 May 2026 09:11:25 -0500
Subject: [PATCH 2/2] Update attachment_adobe_image_lure.yml

---
 detection-rules/attachment_adobe_image_lure.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/attachment_adobe_image_lure.yml b/detection-rules/attachment_adobe_image_lure.yml
index 260cbc2967e..02fe1f82960 100644
--- a/detection-rules/attachment_adobe_image_lure.yml
+++ b/detection-rules/attachment_adobe_image_lure.yml
@@ -102,7 +102,7 @@ source: |
     // exclude solicited senders
     not profile.by_sender_email().solicited
     or profile.by_sender_email().prevalence == "new"
-    // exclude solicited senders where prevelance is rare
+    // include solicited senders where prevelance is rare
     or (
       profile.by_sender_email().prevalence == "rare"
       and profile.by_sender_email().solicited