← Back to Explore
sublimehighRule
Observed IOC: Malicious sender email addresses
Detects inbound messages from known malicious sender email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.
Detection Query
// AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
// Managed by automated IOC system
type.inbound
and hash.sha256(sender.email.email) in (
'181190a9c44fffd9796cfcdea3efc48951283093cd4f0659655b7164f56bddfd', // Observed malicious sender
'284bc29a19d2f97642e3e69e0b5f6bac0d425b6a25827b9947aec4fb5faac812', // Observed malicious sender
'384a79a76bf04331e0a6d8cb2056b6b56b05fb27b4abf87cc648e610cab3ae27', // Observed malicious sender
'45df5110a927dc6160ee706784b4b3f75bc3f9154c75b3c28a524501a25943f5', // Observed malicious sender
'4d3b689898ba624f2032a9e928e258b3650f0ffd5c898f49f9816e1c6e09b575', // Observed malicious sender
'4ee49251788e4434160029e76e7c168432a1d5df45177b8c113a60562b2f4743', // Observed malicious sender
'596544745fbc6b8bab69197761c945c13799b9ac2ffac93b4a69fc9b335870d0', // Observed malicious sender
'77eb1e845faaef33b55023bf10fa643206e8620c49d5d1f4eba9d7d5882093f0', // Observed malciiouc sender, AFF and fake zoom meetings
'7affbe4b711761fcbeea34fafe0df6d217463064e60510e12af92b57dbfbf186', // Observed malicious sender
'8d6bf7faaf7190b52d0e7a079cd71228e2d1a20a6fac7749b23226181fe57b7f', // Observed malicious sender
'd3193407cf75baf52783c7bfc1929e7c968cd71d113c12cba0b4b31e68dce8ff', // Observed malicious sender
'eaa6ae148c389d5ffc77ca5437cc24e1ecca7052be3313c1e752de67d161f7c2' // Observed malicious sender
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Observed IOC: Malicious sender email addresses"
description: "Detects inbound messages from known malicious sender email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
type: "rule"
severity: "high"
source: |
// AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
// Managed by automated IOC system
type.inbound
and hash.sha256(sender.email.email) in (
'181190a9c44fffd9796cfcdea3efc48951283093cd4f0659655b7164f56bddfd', // Observed malicious sender
'284bc29a19d2f97642e3e69e0b5f6bac0d425b6a25827b9947aec4fb5faac812', // Observed malicious sender
'384a79a76bf04331e0a6d8cb2056b6b56b05fb27b4abf87cc648e610cab3ae27', // Observed malicious sender
'45df5110a927dc6160ee706784b4b3f75bc3f9154c75b3c28a524501a25943f5', // Observed malicious sender
'4d3b689898ba624f2032a9e928e258b3650f0ffd5c898f49f9816e1c6e09b575', // Observed malicious sender
'4ee49251788e4434160029e76e7c168432a1d5df45177b8c113a60562b2f4743', // Observed malicious sender
'596544745fbc6b8bab69197761c945c13799b9ac2ffac93b4a69fc9b335870d0', // Observed malicious sender
'77eb1e845faaef33b55023bf10fa643206e8620c49d5d1f4eba9d7d5882093f0', // Observed malciiouc sender, AFF and fake zoom meetings
'7affbe4b711761fcbeea34fafe0df6d217463064e60510e12af92b57dbfbf186', // Observed malicious sender
'8d6bf7faaf7190b52d0e7a079cd71228e2d1a20a6fac7749b23226181fe57b7f', // Observed malicious sender
'd3193407cf75baf52783c7bfc1929e7c968cd71d113c12cba0b4b31e68dce8ff', // Observed malicious sender
'eaa6ae148c389d5ffc77ca5437cc24e1ecca7052be3313c1e752de67d161f7c2' // Observed malicious sender
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Impersonation: Email address"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Header analysis"
id: "b1c2d3e4-f5a6-4b8c-9d0e-f1a2b3c4d5e6"