This rule is designed to detect email messages that originate from domains with both 'o365' and 'mail' in their second-level domain. Such domains are often used in phishing attempts where attackers impersonate legitimate Microsoft Office 365 mail services to trick users into providing sensitive information. The detection method involves analyzing the sender's email domain and ensuring that it contains these specific substrings. The rule has been classified with high severity, reflecting the potential risk posed by credential phishing attacks that leverage brand impersonation tactics.