Update headers_outlook_express.yml (#3485)

Author: morriscode

detection-rules/headers_outlook_express.yml

@@ -3,7 +3,8 @@ description: "Detects emails claiming to be sent from Outlook Express, which is
 type: "rule"
 severity: "medium"
 source: |
-  strings.icontains(headers.mailer, 'Outlook Express')
+  type.inbound
+  and strings.icontains(headers.mailer, 'Outlook Express')
   and not profile.by_sender_email().any_messages_benign
 tags:
  - "Attack surface reduction"