Detection rules › Sublime MQL
Brand impersonation: Office 365 mail service
Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
| Message attribute |
|---|
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
strings.icontains(sender.email.domain.sld, 'o365')
or strings.icontains(sender.email.domain.sld, 'outlook')
or strings.icontains(sender.email.domain.sld, 'office')
)
and strings.icontains(sender.email.domain.sld, 'mail')
// not benign use cases
and not (
sender.email.domain.root_domain in (
"agentofficemail.com", // mandrill app addon
"mdofficemail.com", // doctor office
"medofficemail.com", // doctor office
"officemailbox.fr", // bulk mail provider
"mail-office.fr", // bulk mail provider
"officedepot-mail.co.kr", // office depot in kr
"emailmarketdataoutlook.com", // email mrkting
"officelabsmail.co.uk" // company in the uk
)
and headers.auth_summary.dmarc.pass
)
Detection logic
Scope: inbound message.
Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.
- inbound message
any of:
- sender.email.domain.sld contains 'o365'
- sender.email.domain.sld contains 'outlook'
- sender.email.domain.sld contains 'office'
- sender.email.domain.sld contains 'mail'
not:
all of:
- sender.email.domain.root_domain in ('agentofficemail.com', 'mdofficemail.com', 'medofficemail.com', 'officemailbox.fr', 'mail-office.fr', 'officedepot-mail.co.kr', 'emailmarketdataoutlook.com', 'officelabsmail.co.uk')
- headers.auth_summary.dmarc.pass
Inspects: headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, sender.email.domain.sld, type.inbound. Sensors: strings.icontains.
Indicators matched (12)
| Field | Match | Value |
|---|---|---|
strings.icontains | substring | o365 |
strings.icontains | substring | outlook |
strings.icontains | substring | office |
strings.icontains | substring | mail |
sender.email.domain.root_domain | member | agentofficemail.com |
sender.email.domain.root_domain | member | mdofficemail.com |
sender.email.domain.root_domain | member | medofficemail.com |
sender.email.domain.root_domain | member | officemailbox.fr |
sender.email.domain.root_domain | member | mail-office.fr |
sender.email.domain.root_domain | member | officedepot-mail.co.kr |
sender.email.domain.root_domain | member | emailmarketdataoutlook.com |
sender.email.domain.root_domain | member | officelabsmail.co.uk |