Brand impersonation: Outlook

Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Outlook"
 2description: |
 3  Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain
 4  have been observed sending fake account notifications.  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and regex.icontains(sender.email.domain.domain, '.*outlook.com.+')
10  and sender.email.domain.root_domain not in ('outlook.com.au', 'outlook.com.br')
11  and sender.email.email not in $recipient_emails  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Impersonation: Brand"
16  - "Lookalike domain"
17  - "Social engineering"
18detection_methods:
19  - "Header analysis"
20  - "Sender analysis"
21id: "1fe5bf7b-c4e8-5f8e-a2d7-07e32bd9678f"
to-top