Create headers_outlook_express.yml (#3329)

Co-authored-by: ID Generator <hello@sublimesecurity.com>
Co-authored-by: Alex Herold <alex.herold@sublimesecurity.com>

Author: 3 people

detection-rules/headers_outlook_express.yml

@@ -0,0 +1,19 @@
+name: "Headers: Outlook Express mailer"
+description: "Detects emails claiming to be sent from Outlook Express, which is a legacy email client that is no longer supported or commonly used."
+type: "rule"
+severity: "medium"
+source: |
+  strings.icontains(headers.mailer, 'Outlook Express')
+  and not profile.by_sender_email().any_messages_benign
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+id: "b7a698de-08c0-5f1a-8172-896438e632ea"