diff --git a/detection-rules/recon_short_generic_greeting.yml b/detection-rules/recon_short_generic_greeting.yml
index 373f246438e..6456f9434a2 100644
--- a/detection-rules/recon_short_generic_greeting.yml
+++ b/detection-rules/recon_short_generic_greeting.yml
@@ -42,28 +42,37 @@ source: |
   // no attachments or links
   and length(attachments) == 0
   and length(body.current_thread.links) == 0
-  // negate sender profiles completely if auth is failing
+  
+  // not where the sender and mailbox display_anames indicate this might be a personal email --> work email
+  // impersonation is covered by other core feed rules
+  and not (
+    sum([length(recipients.to), length(recipients.bcc), length(recipients.cc)]) == 1
+    // use coalesce to deal with either the sender.display_name or the mailbox element being null
+    // if either are null, the function returns false, as it cannot be true if either is null
+    and coalesce(strings.icontains(sender.display_name, mailbox.first_name),
+                 false
+    )
+    and coalesce(strings.icontains(sender.display_name, mailbox.last_name), false)
+  )
   and (
-    (
-      not (
-        coalesce(headers.auth_summary.dmarc.pass, false)
-        or headers.auth_summary.spf.pass == false
-      )
+    // auth failed (or absent) - ignore the profile
+    coalesce(headers.auth_summary.dmarc.pass, false) == false
+    or coalesce(headers.auth_summary.spf.pass, false) == false
+    // auth passed - use the profile
+    or (
+      // no benign messages
+      not profile.by_sender_email().any_messages_benign
       and (
-        not profile.by_sender().solicited
-        or (
-          profile.by_sender().any_messages_malicious_or_spam
-          and not profile.by_sender().any_messages_benign
+        // not soliticed OR common
+        not (
+          profile.by_sender_email().solicited
+          or profile.by_sender_email().prevalence == "common"
         )
+        // or HAS been spam_malicious
+        or profile.by_sender_email().any_messages_malicious_or_spam
       )
-      and not profile.by_sender().any_messages_benign
-    )
-    or (
-      coalesce(headers.auth_summary.dmarc.pass, false)
-      or headers.auth_summary.spf.pass == false
     )
   )
-
 tags:
  - "Attack surface reduction"
 attack_types: