Brand impersonation: Office 365 mail service
Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Office 365 mail service"
2description: "Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and strings.icontains(sender.email.domain.sld, 'o365')
8 and strings.icontains(sender.email.domain.sld, 'mail')
9
10attack_types:
11 - "Credential Phishing"
12tactics_and_techniques:
13 - "Impersonation: Brand"
14 - "Lookalike domain"
15 - "Social engineering"
16detection_methods:
17 - "Sender analysis"
18id: "51af3d4a-1667-50df-a99e-e3f00479564b"