EXPLORE
← Back to Explore
sublimehighRule

Observed IOC: Malicious sender domains

Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Detection Query

// AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
// Managed by automated IOC system
type.inbound
and hash.sha256(sender.email.domain.domain) in (
  '049a4890de5dead7b5b968c191d56aba74e4d96c3712c6016142c6e00b0bb7b6', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  '28b686d3c7b091ebdda1373f58a16635f4dacaaa748d0a4f2175273a09662770', // Malicious Sender - Multiple Lures spaning multiple days
  '344964b8f8ee23b4c5ebb446b85722abae2e15fa30a710219b348f21c4c03ac1', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  '6798365fdfb2f39074e58d4221541c778ba593a099ad3b334224a1f992a63313', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  '6f2681220ecf14f51e24f398daa4a0a5d8044fcccc67969bcfa5254e803b082c', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  '90d3c2c031a19cd887556d924842fb4300dc3890429e9da2b5c267a862be7f9b', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  'bc0b660d1726f95579835f2694c4f58c656f431fbbc810c7fc4d19f2b2a177d7', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  'd758b32f46a81a66e5844fc072486b6860625aea5a79e3051cf9df00a47c3f5d', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  'de9e07c5b87055b27e8419cfd89485c7b374deec228dc51d6aa710c68de27965', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  'ec74a3b1b533fa08aada394224a5fc46a60f02a84950d8085885dd0d61e9e9dd' // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Observed IOC: Malicious sender domains"
description: "Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
type: "rule"
severity: "high"
source: |
  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
  // Managed by automated IOC system
  type.inbound
  and hash.sha256(sender.email.domain.domain) in (
    '049a4890de5dead7b5b968c191d56aba74e4d96c3712c6016142c6e00b0bb7b6', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
    '28b686d3c7b091ebdda1373f58a16635f4dacaaa748d0a4f2175273a09662770', // Malicious Sender - Multiple Lures spaning multiple days
    '344964b8f8ee23b4c5ebb446b85722abae2e15fa30a710219b348f21c4c03ac1', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
    '6798365fdfb2f39074e58d4221541c778ba593a099ad3b334224a1f992a63313', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
    '6f2681220ecf14f51e24f398daa4a0a5d8044fcccc67969bcfa5254e803b082c', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
    '90d3c2c031a19cd887556d924842fb4300dc3890429e9da2b5c267a862be7f9b', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
    'bc0b660d1726f95579835f2694c4f58c656f431fbbc810c7fc4d19f2b2a177d7', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
    'd758b32f46a81a66e5844fc072486b6860625aea5a79e3051cf9df00a47c3f5d', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
    'de9e07c5b87055b27e8419cfd89485c7b374deec228dc51d6aa710c68de27965', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
    'ec74a3b1b533fa08aada394224a5fc46a60f02a84950d8085885dd0d61e9e9dd' // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
  )

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Impersonation: Domain"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
  - "Header analysis"
id: "c2d3e4f5-a6b7-4c9d-ae1f-a2b3c4d5e6f7"