sublimemediumRule

Headers: Outlook Express mailer

Detects emails claiming to be sent from Outlook Express, which is a legacy email client that is no longer supported or commonly used.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566 T1566.001 T1598 T1204.002 T1486 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound
and strings.icontains(headers.mailer, 'Outlook Express')
and not profile.by_sender_email().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Headers: Outlook Express mailer"
description: "Detects emails claiming to be sent from Outlook Express, which is a legacy email client that is no longer supported or commonly used."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and strings.icontains(headers.mailer, 'Outlook Express')
  and not profile.by_sender_email().any_messages_benign
tags:
 - "Attack surface reduction"
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Spoofing"
detection_methods:
  - "Header analysis"
id: "b7a698de-08c0-5f1a-8172-896438e632ea"