From 7fefb328459da58fdd93fd8425291bedd93d2c3d Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Thu, 6 Nov 2025 12:09:50 -0500
Subject: [PATCH] Update headers_outlook_express.yml

Adding type
---
 detection-rules/headers_outlook_express.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/headers_outlook_express.yml b/detection-rules/headers_outlook_express.yml
index 53e551bbc93..8f5d99dbab2 100644
--- a/detection-rules/headers_outlook_express.yml
+++ b/detection-rules/headers_outlook_express.yml
@@ -3,7 +3,8 @@ description: "Detects emails claiming to be sent from Outlook Express, which is
 type: "rule"
 severity: "medium"
 source: |
-  strings.icontains(headers.mailer, 'Outlook Express')
+  type.inbound
+  and strings.icontains(headers.mailer, 'Outlook Express')
   and not profile.by_sender_email().any_messages_benign
 tags:
  - "Attack surface reduction"