diff --git a/detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml b/detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml
index a2c3f0979d8..8cbdec00e94 100644
--- a/detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml
+++ b/detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml
@@ -1,9 +1,11 @@
-name: "Self-sender with copy/paste instructions and suspicious domains (French/Français)"
+name: "Self-sender with suspicious links (French/Français)"
 description: "Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values."
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
+  // message is in French
+  and ml.nlu_classifier(body.current_thread.text).language == 'french'
   // self sender
   and (
     length(recipients.to) == 1
@@ -13,10 +15,6 @@ source: |
   and strings.icontains(subject.subject, sender.email.email)
   and strings.icontains(subject.subject, sender.display_name)
   and sender.email.email != sender.display_name
-  // copy
-  and strings.icontains(body.current_thread.text, 'copier')
-  // paste
-  and strings.icontains(body.current_thread.text, 'coller')
   and (
     strings.contains(body.current_thread.text, '.pages.dev')
     or strings.contains(body.current_thread.text, '.web.app')