diff --git a/detection-rules/headers_outlook_express.yml b/detection-rules/headers_outlook_express.yml
index 53e551bbc93..8f5d99dbab2 100644
--- a/detection-rules/headers_outlook_express.yml
+++ b/detection-rules/headers_outlook_express.yml
@@ -3,7 +3,8 @@ description: "Detects emails claiming to be sent from Outlook Express, which is
 type: "rule"
 severity: "medium"
 source: |
-  strings.icontains(headers.mailer, 'Outlook Express')
+  type.inbound
+  and strings.icontains(headers.mailer, 'Outlook Express')
   and not profile.by_sender_email().any_messages_benign
 tags:
  - "Attack surface reduction"