Medium Severity

Brand impersonation: Office 365 mail service

Labels

Description

Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.

References

No references.

Sublime Security

Created Oct 10th, 2025 • Last updated Jan 29th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  strings.icontains(sender.email.domain.sld, 'o365')
  or strings.icontains(sender.email.domain.sld, 'outlook')
  or strings.icontains(sender.email.domain.sld, 'office')
)
and strings.icontains(sender.email.domain.sld, 'mail')
// not benign use cases
and not (
  sender.email.domain.root_domain in (
    "agentofficemail.com", // mandrill app addon
    "mdofficemail.com", // doctor office
    "medofficemail.com", // doctor office
    "officemailbox.fr", // bulk mail provider
    "mail-office.fr", // bulk mail provider
    "officedepot-mail.co.kr", // office depot in kr
    "emailmarketdataoutlook.com", // email mrkting 
    "officelabsmail.co.uk" // company in the uk
  )
  and headers.auth_summary.dmarc.pass
)
and not profile.by_sender_domain().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.