Brand impersonation: Office 365 mail service

calendar May 15, 2026  ·
Share on: linkedin copy

Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Office 365 mail service"
 2description: "Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services."
 3type: "rule"
 4severity: "medium"
 5false_positives:
 6  - "It is possible for this to match in benign domains.  For recurring benign senders, apply sender exclusions to prevent unnecessary matches."
 7source: |
 8  type.inbound
 9  and (
10    strings.icontains(sender.email.domain.sld, 'o365')
11    or strings.icontains(sender.email.domain.sld, 'outlook')
12    or strings.icontains(sender.email.domain.sld, 'office')
13  )
14  and strings.icontains(sender.email.domain.sld, 'mail')
15  // not benign use cases
16  and not (
17    sender.email.domain.root_domain in (
18      "agentofficemail.com", // mandrill app addon
19      "mdofficemail.com", // doctor office
20      "medofficemail.com", // doctor office
21      "officemailbox.fr", // bulk mail provider
22      "mail-office.fr", // bulk mail provider
23      "officedepot-mail.co.kr", // office depot in kr
24      "emailmarketdataoutlook.com", // email mrkting 
25      "officelabsmail.co.uk" // company in the uk
26    )
27    and headers.auth_summary.dmarc.pass
28  )  
29
30attack_types:
31  - "Credential Phishing"
32tactics_and_techniques:
33  - "Impersonation: Brand"
34  - "Lookalike domain"
35  - "Social engineering"
36detection_methods:
37  - "Sender analysis"
38id: "51af3d4a-1667-50df-a99e-e3f00479564b"
to-top