diff --git a/detection-rules/fake_thread_suspicious_indicators.yml b/detection-rules/fake_thread_suspicious_indicators.yml
index 39b9fbe2556..d7db9e87be4 100644
--- a/detection-rules/fake_thread_suspicious_indicators.yml
+++ b/detection-rules/fake_thread_suspicious_indicators.yml
@@ -40,10 +40,12 @@ source: |
     )
     or headers.return_path.domain.domain is null
   )
-  
-  and (
-    length(headers.references) == 0 
-    or headers.in_reply_to is null
+  // not mimecast secure message from internal source
+  and not (
+    strings.istarts_with(headers.message_id, '<Mimecast.')
+    and strings.iends_with(headers.message_id, '.mimecast.lan>')
+    and headers.hops[0].received.server.raw == "relay.mimecast.com"
+    and strings.icontains(headers.hops[0].received.source.raw, 'mimecast.lan')
   )
   
   // and not solicited