diff --git a/detection-rules/predatory_academic_journal.yml b/detection-rules/predatory_academic_journal.yml
index d109a148be8..eb8bfaa83aa 100644
--- a/detection-rules/predatory_academic_journal.yml
+++ b/detection-rules/predatory_academic_journal.yml
@@ -143,15 +143,20 @@ source: |
   
   // negate microsoft quarantine messages
   and not (
-    any(body.links,
-        (
-          strings.icontains(.display_text, "Review Message")
-          or strings.icontains(.display_text, "Passer en revue le message")
-        )
-        and (
-          .href_url.domain.domain == "security.microsoft.com"
-          and .href_url.path == "/quarantine"
+    sender.email.email == "quarantine@messaging.microsoft.com"
+    and (
+      headers.auth_summary.dmarc.pass
+      // no sender auth but MS AuthAs is Internal
+      or (
+        not coalesce(headers.auth_summary.dmarc.pass, false)
+        and any(headers.hops,
+                .index == 0
+                and any(.fields,
+                        .name == "X-MS-Exchange-CrossTenant-AuthAs"
+                        and .value == "Internal"
+                )
         )
+      )
     )
   )