sublimehighRule

Observed IOC: Malicious sender domains

Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566 T1566.001 T1598 T1204.002 T1486

initial-access

Detection Query

// AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
// Managed by automated IOC system
type.inbound
and hash.sha256(sender.email.domain.domain) in (
  '31b3ad77a8d0c9e808620aa13a714703ecb1447aab96e9728256fdb320d02b94', // Malicious Sender Observed - Fake Investment Phishing
  '32162c01a405aac2862c06917563a5c602490d04c885f4bf1e19fc755aee1a49', // Malicious Sender Observed - Fake Investment Phishing
  '4148bbc8c4290f37a6c4287ff1825702a76b8d3c56ffdbbf60bd7caf83ac0cd7', // Malicious Sender Observed - Fake Investment Phishing
  '474d832968657bdd6413125a433a4d2383c5541aa98389eb1cb5101076d835f2', // Malicious Sender - Fake Investment phishing
  '474d832968657bdd6413125a433a4d2383c5541aa98389eb1cb5101076d835f2', // Malicious Sender - Fake Investment phishing
  '53cdb6a96d07000b264424868f28564826567f2ec9b98f168982ed5c00ac73d0', // Malicious Sender Observed - Fake Investment Phishing
  '664186e4b85b8d398d1d6adca6be413bf885c446cea1aad92805f0eb7ea3b06f', // Malicious Sender Observed - Fake Investment Phishing
  '6c55da6d7e08986dd61d6e85ec7ccdaf632b0655cd3faa5b7345bd36feaefdbd', // Malicious Sender Observed - Fake Investment Phishing
  '779ec0285d40312e71048ff8816996c8ca58321d283135e4058306407deb7d89', // Malicious Sender - Fake Investment phishing
  '779ec0285d40312e71048ff8816996c8ca58321d283135e4058306407deb7d89', // Malicious Sender - Fake Investment phishing
  '96b900c0976abd5a44b474e78f99b052b06e60490a68b4ada0822f7e3d5ebd86', // Malicious Sender - Fake Investment phishing
  '96b900c0976abd5a44b474e78f99b052b06e60490a68b4ada0822f7e3d5ebd86', // Malicious Sender - Fake Investment phishing
  'a06cc80cd1ab962012feb626443397f1a62c328bcae6449406a0ac1e23a1d977', // Malicious Sender Observed - Fake Investment Phishing
  'a0e396a21badb0832c85f4d77e62f2063a23a5673f5e856610a2f80764801132', // Malicious Sender Observed - Fake Investment Phishing
  'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
  'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
  'a5b43bc33d73ce5271e0fc5de835e0447891cf03c4afec52d3e9f9f64e0dab49', // Malicious Sender Observed - Fake Investment Phishing
  'bbdbb3c2eb9a4844abce22abd9ebe8315a18e2d7a4c58c37c15b572e3ddbcac1', // Malicious Sender Observed - Fake Investment Phishing
  'cd53341855f7ab0ebb852bdb74d1305e1a7720a8b388d5cac6aee7583738ad1f', // Malicious Sender Observed - Fake Investment Phishing
  'd2f634bdb8d7cbe7d68ed88e5d4e82d733d167fabaef3dcf9e9b74ac732cfef3', // Malicious Sender Observed - Fake Investment Phishing
  'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
  'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
  'f6b617570c13f90125ad3bd8dfcd445dc3a72472cca869b81344f39f0cc63b8c', // Malicious Sender Observed - Fake Investment Phishing
  'ff242a5a574b77b143a1a2953e56a86c916794fd71d27033493a7d0aade24890' // Malicious Sender Observed - Fake Investment Phishing
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Observed IOC: Malicious sender domains"
description: "Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
type: "rule"
severity: "high"
source: |
  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
  // Managed by automated IOC system
  type.inbound
  and hash.sha256(sender.email.domain.domain) in (
    '31b3ad77a8d0c9e808620aa13a714703ecb1447aab96e9728256fdb320d02b94', // Malicious Sender Observed - Fake Investment Phishing
    '32162c01a405aac2862c06917563a5c602490d04c885f4bf1e19fc755aee1a49', // Malicious Sender Observed - Fake Investment Phishing
    '4148bbc8c4290f37a6c4287ff1825702a76b8d3c56ffdbbf60bd7caf83ac0cd7', // Malicious Sender Observed - Fake Investment Phishing
    '474d832968657bdd6413125a433a4d2383c5541aa98389eb1cb5101076d835f2', // Malicious Sender - Fake Investment phishing
    '474d832968657bdd6413125a433a4d2383c5541aa98389eb1cb5101076d835f2', // Malicious Sender - Fake Investment phishing
    '53cdb6a96d07000b264424868f28564826567f2ec9b98f168982ed5c00ac73d0', // Malicious Sender Observed - Fake Investment Phishing
    '664186e4b85b8d398d1d6adca6be413bf885c446cea1aad92805f0eb7ea3b06f', // Malicious Sender Observed - Fake Investment Phishing
    '6c55da6d7e08986dd61d6e85ec7ccdaf632b0655cd3faa5b7345bd36feaefdbd', // Malicious Sender Observed - Fake Investment Phishing
    '779ec0285d40312e71048ff8816996c8ca58321d283135e4058306407deb7d89', // Malicious Sender - Fake Investment phishing
    '779ec0285d40312e71048ff8816996c8ca58321d283135e4058306407deb7d89', // Malicious Sender - Fake Investment phishing
    '96b900c0976abd5a44b474e78f99b052b06e60490a68b4ada0822f7e3d5ebd86', // Malicious Sender - Fake Investment phishing
    '96b900c0976abd5a44b474e78f99b052b06e60490a68b4ada0822f7e3d5ebd86', // Malicious Sender - Fake Investment phishing
    'a06cc80cd1ab962012feb626443397f1a62c328bcae6449406a0ac1e23a1d977', // Malicious Sender Observed - Fake Investment Phishing
    'a0e396a21badb0832c85f4d77e62f2063a23a5673f5e856610a2f80764801132', // Malicious Sender Observed - Fake Investment Phishing
    'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
    'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
    'a5b43bc33d73ce5271e0fc5de835e0447891cf03c4afec52d3e9f9f64e0dab49', // Malicious Sender Observed - Fake Investment Phishing
    'bbdbb3c2eb9a4844abce22abd9ebe8315a18e2d7a4c58c37c15b572e3ddbcac1', // Malicious Sender Observed - Fake Investment Phishing
    'cd53341855f7ab0ebb852bdb74d1305e1a7720a8b388d5cac6aee7583738ad1f', // Malicious Sender Observed - Fake Investment Phishing
    'd2f634bdb8d7cbe7d68ed88e5d4e82d733d167fabaef3dcf9e9b74ac732cfef3', // Malicious Sender Observed - Fake Investment Phishing
    'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
    'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
    'f6b617570c13f90125ad3bd8dfcd445dc3a72472cca869b81344f39f0cc63b8c', // Malicious Sender Observed - Fake Investment Phishing
    'ff242a5a574b77b143a1a2953e56a86c916794fd71d27033493a7d0aade24890' // Malicious Sender Observed - Fake Investment Phishing
  )

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Impersonation: Domain"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
  - "Header analysis"
id: "c2d3e4f5-a6b7-4c9d-ae1f-a2b3c4d5e6f7"