Brand impersonation: Outlook

 1name: "Brand impersonation: Outlook"
 2description: |
 3  Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain
 4  have been observed sending fake account notifications.  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and regex.icontains(sender.email.domain.domain, '.*outlook.com.+')
10  // Negate legitimate outlook root domains
11  and sender.email.domain.root_domain not in (
12    'outlook.com.au',
13    'outlook.com.br',
14    'outlook.com.ar',
15    'outlook.at',
16    'outlook.be',
17    'outlook.cl',
18    'outlook.cz',
19    'outlook.dk',
20    'outlook.fr',
21    'outlook.de',
22    'outlook.com.gr',
23    'outlook.co.il',
24    'outlook.in',
25    'outlook.co.id',
26    'outlook.ie',
27    'outlook.it',
28    'outlook.hu',
29    'outlook.jp',
30    'outlook.kr',
31    'outlook.lv',
32    'outlook.my',
33    'outlook.co.nz',
34    'outlook.com.pe',
35    'outlook.ph',
36    'outlook.pt',
37    'outlook.sa',
38    'outlook.sg',
39    'outlook.sk',
40    'outlook.es',
41    'outlook.co.th',
42    'outlook.com.tr',
43    'outlook.com.vn'
44  )
45  and sender.email.email not in $recipient_emails  
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Lookalike domain"
51  - "Social engineering"
52detection_methods:
53  - "Header analysis"
54  - "Sender analysis"
55id: "1fe5bf7b-c4e8-5f8e-a2d7-07e32bd9678f"