diff --git a/detection-rules/headers_outlook_express.yml b/detection-rules/headers_outlook_express.yml
new file mode 100644
index 00000000000..53e551bbc93
--- /dev/null
+++ b/detection-rules/headers_outlook_express.yml
@@ -0,0 +1,19 @@
+name: "Headers: Outlook Express mailer"
+description: "Detects emails claiming to be sent from Outlook Express, which is a legacy email client that is no longer supported or commonly used."
+type: "rule"
+severity: "medium"
+source: |
+  strings.icontains(headers.mailer, 'Outlook Express')
+  and not profile.by_sender_email().any_messages_benign
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+id: "b7a698de-08c0-5f1a-8172-896438e632ea"