Headers: Outlook Express mailer

Nov 6, 2025 · Attack surface reduction ·

Detects emails claiming to be sent from Outlook Express, which is a legacy email client that is no longer supported or commonly used.

Sublime rule (View on GitHub)

 1name: "Headers: Outlook Express mailer"
 2description: "Detects emails claiming to be sent from Outlook Express, which is a legacy email client that is no longer supported or commonly used."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(headers.mailer, 'Outlook Express')
 8  and not profile.by_sender_email().any_messages_benign  
 9tags:
10 - "Attack surface reduction"
11attack_types:
12  - "BEC/Fraud"
13  - "Credential Phishing"
14  - "Malware/Ransomware"
15tactics_and_techniques:
16  - "Evasion"
17  - "Spoofing"
18detection_methods:
19  - "Header analysis"
20id: "b7a698de-08c0-5f1a-8172-896438e632ea"

Related rules

Attachment: EML with Encrypted ZIP
HTML smuggling containing recipient email address
Attachment: Any HTML file (unsolicited)
Attachment: Any HTML file (untrusted sender)
Spam: Website errors solicitation