diff --git a/detection-rules/impersonation_fake_copyright_infringement_notice_from_unsolicited_sender.yml b/detection-rules/impersonation_fake_copyright_infringement_notice_from_unsolicited_sender.yml
index 1df27aa0ab7..fef384b30e2 100644
--- a/detection-rules/impersonation_fake_copyright_infringement_notice_from_unsolicited_sender.yml
+++ b/detection-rules/impersonation_fake_copyright_infringement_notice_from_unsolicited_sender.yml
@@ -4,10 +4,10 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and length(body.previous_threads) == 0
+  and (length(body.previous_threads) == 0 or length(headers.references) == 0)
   and length(body.current_thread.text) < 5000
   and 0 < length(body.links) < 10
-  
+
   // common strings in subject or base
   and (
     2 of (
@@ -43,81 +43,94 @@ source: |
       strings.ilike(sender.display_name, '*Advisory*')
     )
   )
-  
+
   // common strings in email current thread
-  and 15 of (
-    strings.ilike(body.current_thread.text, '*copyright*'),
-    strings.ilike(body.current_thread.text, '*trademark*'),
-    strings.ilike(body.current_thread.text, '*inquiry*'),
-    strings.ilike(body.current_thread.text, '*online*'),
-    strings.ilike(body.current_thread.text, '*authorized*'),
-    strings.ilike(body.current_thread.text, '*legal*'),
-    strings.ilike(body.current_thread.text, '*represent*'),
-    strings.ilike(body.current_thread.text, '*lawful*'),
-    strings.ilike(body.current_thread.text, '*owner*'),
-    strings.ilike(body.current_thread.text, '*materials*'),
-    strings.ilike(body.current_thread.text, '*protected*'),
-    strings.ilike(body.current_thread.text, '*infring*'),
-    strings.ilike(body.current_thread.text, '*immediate*'),
-    strings.ilike(body.current_thread.text, '*cessation*'),
-    strings.ilike(body.current_thread.text, '*content*'),
-    strings.ilike(body.current_thread.text, '*referenced*'),
-    strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
-    strings.ilike(body.current_thread.text, '*constitutes*'),
-    strings.ilike(body.current_thread.text, '*authorization*'),
-    strings.ilike(body.current_thread.text, '*removal*'),
-    strings.ilike(body.current_thread.text, '*comply*'),
-    strings.ilike(body.current_thread.text, '*failure*'),
-    strings.ilike(body.current_thread.text, '*law firm*'),
-    strings.ilike(body.current_thread.text, '*LLP*'),
-    strings.ilike(body.current_thread.text, '*compliance*'),
-    strings.ilike(body.current_thread.text, '*cease*'),
-    strings.ilike(body.current_thread.text, '*protect*'),
-    strings.ilike(body.current_thread.text, '*rights*'),
-    strings.ilike(body.current_thread.text, '*penalty*'),
-    strings.ilike(body.current_thread.text, '*perjury*'),
-    strings.ilike(body.current_thread.text, '*holder*'),
-    strings.ilike(body.current_thread.text, '*declare*'),
-    strings.ilike(body.current_thread.text, '*sworn*'),
-    strings.ilike(body.current_thread.text, '*affidavit*'),
-    strings.ilike(body.current_thread.text, '*investigation*'),
-    strings.ilike(body.current_thread.text, '*identified*'),
-    strings.ilike(body.current_thread.text, '*reproduction*'),
-    strings.ilike(body.current_thread.text, '*license*'),
-    strings.ilike(body.current_thread.text, '*granted*'),
-    strings.ilike(body.current_thread.text, '*permitting*'),
-    strings.ilike(body.current_thread.text, '*evidence*'),
-    strings.ilike(body.current_thread.text, '*proceedings*'),
-    strings.ilike(body.current_thread.text, '*evidentiary*'),
-    strings.ilike(body.current_thread.text, '*remove*'),
-    strings.ilike(body.current_thread.text, '*suspend*'),
-    strings.ilike(body.current_thread.text, '*discontinue*'),
-    strings.ilike(body.current_thread.text, '*72 hours*'),
-    strings.ilike(body.current_thread.text, '*48 hours*'),
-    strings.ilike(body.current_thread.text, '*24 hours*'),
-    strings.ilike(body.current_thread.text, '*proof*'),
-    strings.ilike(body.current_thread.text, '*unresolved*'),
-    strings.ilike(body.current_thread.text, '*accordance*'),
-    strings.ilike(body.current_thread.text, '*procedures*'),
-    strings.ilike(body.current_thread.text, '*interests*'),
-    strings.ilike(body.current_thread.text, '*appeal*'),
-    strings.ilike(body.current_thread.text, '*clarification*'),
-    strings.ilike(body.current_thread.text, '*notice*'),
-    strings.ilike(body.current_thread.text, '*dissemination*'),
-    strings.ilike(body.current_thread.text, '*counter-notice*'),
-    strings.ilike(body.current_thread.text, '*exploitation*')
+  and (
+    15 of (
+      strings.ilike(body.current_thread.text, '*copyright*'),
+      strings.ilike(body.current_thread.text, '*trademark*'),
+      strings.ilike(body.current_thread.text, '*inquiry*'),
+      strings.ilike(body.current_thread.text, '*online*'),
+      strings.ilike(body.current_thread.text, '*authorized*'),
+      strings.ilike(body.current_thread.text, '*legal*'),
+      strings.ilike(body.current_thread.text, '*represent*'),
+      strings.ilike(body.current_thread.text, '*lawful*'),
+      strings.ilike(body.current_thread.text, '*owner*'),
+      strings.ilike(body.current_thread.text, '*materials*'),
+      strings.ilike(body.current_thread.text, '*protected*'),
+      strings.ilike(body.current_thread.text, '*infring*'),
+      strings.ilike(body.current_thread.text, '*immediate*'),
+      strings.ilike(body.current_thread.text, '*cessation*'),
+      strings.ilike(body.current_thread.text, '*content*'),
+      strings.ilike(body.current_thread.text, '*referenced*'),
+      strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
+      strings.ilike(body.current_thread.text, '*constitutes*'),
+      strings.ilike(body.current_thread.text, '*authorization*'),
+      strings.ilike(body.current_thread.text, '*removal*'),
+      strings.ilike(body.current_thread.text, '*comply*'),
+      strings.ilike(body.current_thread.text, '*failure*'),
+      strings.ilike(body.current_thread.text, '*law firm*'),
+      strings.ilike(body.current_thread.text, '*LLP*'),
+      strings.ilike(body.current_thread.text, '*compliance*'),
+      strings.ilike(body.current_thread.text, '*cease*'),
+      strings.ilike(body.current_thread.text, '*protect*'),
+      strings.ilike(body.current_thread.text, '*rights*'),
+      strings.ilike(body.current_thread.text, '*penalty*'),
+      strings.ilike(body.current_thread.text, '*perjury*'),
+      strings.ilike(body.current_thread.text, '*holder*'),
+      strings.ilike(body.current_thread.text, '*declare*'),
+      strings.ilike(body.current_thread.text, '*sworn*'),
+      strings.ilike(body.current_thread.text, '*affidavit*'),
+      strings.ilike(body.current_thread.text, '*investigation*'),
+      strings.ilike(body.current_thread.text, '*identified*'),
+      strings.ilike(body.current_thread.text, '*reproduction*'),
+      strings.ilike(body.current_thread.text, '*license*'),
+      strings.ilike(body.current_thread.text, '*granted*'),
+      strings.ilike(body.current_thread.text, '*permitting*'),
+      strings.ilike(body.current_thread.text, '*evidence*'),
+      strings.ilike(body.current_thread.text, '*proceedings*'),
+      strings.ilike(body.current_thread.text, '*evidentiary*'),
+      strings.ilike(body.current_thread.text, '*remove*'),
+      strings.ilike(body.current_thread.text, '*suspend*'),
+      strings.ilike(body.current_thread.text, '*discontinue*'),
+      strings.ilike(body.current_thread.text, '*72 hours*'),
+      strings.ilike(body.current_thread.text, '*48 hours*'),
+      strings.ilike(body.current_thread.text, '*24 hours*'),
+      strings.ilike(body.current_thread.text, '*proof*'),
+      strings.ilike(body.current_thread.text, '*unresolved*'),
+      strings.ilike(body.current_thread.text, '*accordance*'),
+      strings.ilike(body.current_thread.text, '*procedures*'),
+      strings.ilike(body.current_thread.text, '*interests*'),
+      strings.ilike(body.current_thread.text, '*appeal*'),
+      strings.ilike(body.current_thread.text, '*clarification*'),
+      strings.ilike(body.current_thread.text, '*notice*'),
+      strings.ilike(body.current_thread.text, '*dissemination*'),
+      strings.ilike(body.current_thread.text, '*counter-notice*'),
+      strings.ilike(body.current_thread.text, '*exploitation*')
+    )
+    or (
+      any(ml.nlu_classifier(body.current_thread.text).topics,
+          .name == "Legal and Compliance" and .confidence != 'low'
+      )
+      and length(attachments) == 0
+      // fake attachment card: bordered div containing a link that looks like a PDF file
+      and length(html.xpath(body.html,
+                            '//div[contains(@style, "border")][.//a[contains(., ".pdf")]]'
+                 ).nodes
+      ) > 0
+    )
   )
-  
+
   // remove phrase from legitimate complaint
   and not regex.icontains(body.current_thread.text,
                           '(?:we are passing the notice below|content has been removed|removed from our website|notice of intended action|I have not granted|I am the original creator|content you reported has been removed|complaint will be carefully reviewed|provide a list of violations|document confirming your right to act)'
   )
-  
+
   // not copyright reports
   and not regex.icontains(body.current_thread.text,
                           '(?:confirmation|received).{0,100}copyright report'
   )
-  
+
   // verified dmca receiving/sending address
   and not any([recipients.cc, recipients.to, recipients.bcc],
               any(.,
@@ -130,6 +143,7 @@ source: |
               )
   )
   and not strings.icontains(sender.email.domain.root_domain, 'edwinjamesip.com')
+  
 attack_types:
   - "BEC/Fraud"
   - "Extortion"