High Severity

Brand impersonation: Outlook

Labels

Credential Phishing

Impersonation: Brand

Description

Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated May 29th, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and regex.icontains(sender.email.domain.domain, '.*outlook.com.+')
// Negate legitimate outlook root domains
and sender.email.domain.root_domain not in (
  'outlook.com.au',
  'outlook.com.br',
  'outlook.com.ar',
  'outlook.at',
  'outlook.be',
  'outlook.cl',
  'outlook.cz',
  'outlook.dk',
  'outlook.fr',
  'outlook.de',
  'outlook.com.gr',
  'outlook.co.il',
  'outlook.in',
  'outlook.co.id',
  'outlook.ie',
  'outlook.it',
  'outlook.hu',
  'outlook.jp',
  'outlook.kr',
  'outlook.lv',
  'outlook.my',
  'outlook.co.nz',
  'outlook.com.pe',
  'outlook.ph',
  'outlook.pt',
  'outlook.sa',
  'outlook.sg',
  'outlook.sk',
  'outlook.es',
  'outlook.co.th',
  'outlook.com.tr',
  'outlook.com.vn'
)
and sender.email.email not in $recipient_emails

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.