diff --git a/detection-rules/recon_large_recipients_unknown.yml b/detection-rules/recon_large_recipients_unknown.yml
index ae41424e086..248451c950a 100644
--- a/detection-rules/recon_large_recipients_unknown.yml
+++ b/detection-rules/recon_large_recipients_unknown.yml
@@ -6,7 +6,7 @@ description: |
 type: "rule"
 severity: "low"
 source: |
-  type.inbound
+ type.inbound
   and (
     length(recipients.to) > 10
     and length(filter(recipients.to,
@@ -20,7 +20,12 @@ source: |
     ) >= 10
   )
   and (
-    length(subject.subject) <= 10 
+    length(subject.subject) <= 10
+    or subject.subject == body.current_thread.text
+    or (subject.is_reply and length(body.previous_threads) == 0)
+  )
+  or not (
+    length(subject.subject) <= 10
     or subject.subject == body.current_thread.text
     or (subject.is_reply and length(body.previous_threads) == 0)
   )