diff --git a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml
index 88a32985463..6008bfcc386 100644
--- a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml
+++ b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml
@@ -237,6 +237,7 @@ source: |
                       "your document settlement",
                       "your order with amazon",
                       "your password has been compromised",
+                      "ach? (?:payment|transfer|transaction)",
   
                       // cryptocurrency related subjects
                       '\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview',
@@ -254,7 +255,7 @@ source: |
   
   // urgency request
   and any(ml.nlu_classifier(body.current_thread.text).entities,
-          .name == "urgency"
+          .name in ("urgency", "greeting")
   )
   
   // org presence
@@ -264,6 +265,7 @@ source: |
   and (
     not strings.istarts_with(subject.subject, "re:")
     and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+    or not length(headers.reply_to) > 0
   )
   
   // the message is unsolicited and no false positives