Brand impersonation: Office 365 mail service

calendar Oct 10, 2025  ·
Share on: linkedin copy

Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Office 365 mail service"
 2description: "Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.icontains(sender.email.domain.sld, 'o365') 
 8  and strings.icontains(sender.email.domain.sld, 'mail')   
 9
10attack_types:
11  - "Credential Phishing"
12tactics_and_techniques:
13  - "Impersonation: Brand"
14  - "Lookalike domain"
15  - "Social engineering"
16detection_methods:
17  - "Sender analysis"
18id: "51af3d4a-1667-50df-a99e-e3f00479564b"
to-top