diff --git a/detection-rules/link_contains_punycode_characters.yml b/detection-rules/link_contains_punycode_characters.yml
index 4beb34d8b4e..b2b47eecc67 100644
--- a/detection-rules/link_contains_punycode_characters.yml
+++ b/detection-rules/link_contains_punycode_characters.yml
@@ -9,26 +9,13 @@ authors:
 severity: "medium"
 source: |
   type.inbound
-  and any(body.links, .href_url.domain.punycode is not null and .href_url.domain.valid == true)
   and (
-    (
-      // include automated emails
-      sender.display_name == "WordPress"
-      or sender.email.local_part == "wordpress"
-    )
-
-    or (
-      (
-        profile.by_sender().prevalence in ("new", "outlier")
-        and not profile.by_sender().solicited
-      )
-      or (
-        profile.by_sender().any_messages_malicious_or_spam
-        and not profile.by_sender().any_messages_benign
-      )
+    any(body.links,
+        .href_url.domain.punycode is not null and .href_url.domain.valid == true
     )
+    or any(body.links, strings.starts_with(.href_url.domain.domain, "xn--"))
   )
-  and not profile.by_sender().any_messages_benign
+
 tags:
   - "Attack surface reduction"
 attack_types: