EXPLORE
Sign In
← Back to Explore
sublimehighRule

Brand impersonation: Outlook

Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003T1583.001
initial-access

Detection Query

type.inbound
and regex.icontains(sender.email.domain.domain, '.*outlook.com.+')
// Negate legitimate outlook root domains
and sender.email.domain.root_domain not in (
  'outlook.com.au',
  'outlook.com.br',
  'outlook.com.ar',
  'outlook.at',
  'outlook.be',
  'outlook.cl',
  'outlook.cz',
  'outlook.dk',
  'outlook.fr',
  'outlook.de',
  'outlook.com.gr',
  'outlook.co.il',
  'outlook.in',
  'outlook.co.id',
  'outlook.ie',
  'outlook.it',
  'outlook.hu',
  'outlook.jp',
  'outlook.kr',
  'outlook.lv',
  'outlook.my',
  'outlook.co.nz',
  'outlook.com.pe',
  'outlook.ph',
  'outlook.pt',
  'outlook.sa',
  'outlook.sg',
  'outlook.sk',
  'outlook.es',
  'outlook.co.th',
  'outlook.com.tr',
  'outlook.com.vn'
)
and sender.email.email not in $recipient_emails

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Outlook"
description: |
  Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain
  have been observed sending fake account notifications.
type: "rule"
severity: "high"
source: |
  type.inbound
  and regex.icontains(sender.email.domain.domain, '.*outlook.com.+')
  // Negate legitimate outlook root domains
  and sender.email.domain.root_domain not in (
    'outlook.com.au',
    'outlook.com.br',
    'outlook.com.ar',
    'outlook.at',
    'outlook.be',
    'outlook.cl',
    'outlook.cz',
    'outlook.dk',
    'outlook.fr',
    'outlook.de',
    'outlook.com.gr',
    'outlook.co.il',
    'outlook.in',
    'outlook.co.id',
    'outlook.ie',
    'outlook.it',
    'outlook.hu',
    'outlook.jp',
    'outlook.kr',
    'outlook.lv',
    'outlook.my',
    'outlook.co.nz',
    'outlook.com.pe',
    'outlook.ph',
    'outlook.pt',
    'outlook.sa',
    'outlook.sg',
    'outlook.sk',
    'outlook.es',
    'outlook.co.th',
    'outlook.com.tr',
    'outlook.com.vn'
  )
  and sender.email.email not in $recipient_emails
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "1fe5bf7b-c4e8-5f8e-a2d7-07e32bd9678f"