Brand impersonation: Outlook
Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Outlook"
2description: |
3 Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain
4 have been observed sending fake account notifications.
5type: "rule"
6severity: "high"
7source: |
8 type.inbound
9 and regex.icontains(sender.email.domain.domain, '.*outlook.com.+')
10 and sender.email.domain.root_domain not in ('outlook.com.au', 'outlook.com.br')
11 and sender.email.email not in $recipient_emails
12attack_types:
13 - "Credential Phishing"
14tactics_and_techniques:
15 - "Impersonation: Brand"
16 - "Lookalike domain"
17 - "Social engineering"
18detection_methods:
19 - "Header analysis"
20 - "Sender analysis"
21id: "1fe5bf7b-c4e8-5f8e-a2d7-07e32bd9678f"