Brand impersonation: Office 365 mail service

calendar Jan 29, 2026  ·
Share on: linkedin copy

Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Office 365 mail service"
 2description: "Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services."
 3type: "rule"
 4severity: "medium"
 5false_positives:
 6  - "It is possible for this to match in benign domains.  For recurring benign senders, apply sender exclusions to prevent unnecessary matches."
 7source: |
 8  type.inbound
 9  and (
10    strings.icontains(sender.email.domain.sld, 'o365')
11    or strings.icontains(sender.email.domain.sld, 'outlook')
12    or strings.icontains(sender.email.domain.sld, 'office')
13  )
14  and strings.icontains(sender.email.domain.sld, 'mail')
15  // not benign use cases
16  and not (
17    sender.email.domain.root_domain in (
18      "agentofficemail.com", // mandrill app addon
19      "mdofficemail.com", // doctor office
20      "medofficemail.com", // doctor office
21      "officemailbox.fr", // bulk mail provider
22      "mail-office.fr", // bulk mail provider
23      "officedepot-mail.co.kr", // office depot in kr
24      "emailmarketdataoutlook.com", // email mrkting 
25      "officelabsmail.co.uk" // company in the uk
26    )
27    and headers.auth_summary.dmarc.pass
28  )
29  and not profile.by_sender_domain().any_messages_benign  
30
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Impersonation: Brand"
35  - "Lookalike domain"
36  - "Social engineering"
37detection_methods:
38  - "Sender analysis"
39id: "51af3d4a-1667-50df-a99e-e3f00479564b"
to-top