sublimehighRule

Observed IOC: Malicious reply-to email addresses

Detects inbound messages with reply-to headers containing known malicious email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566 T1566.001 T1598 T1204.002 T1486

initial-access

Detection Query

// AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
// Managed by automated IOC system
false // no active IOCs - rule is temporarily disabled

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Observed IOC: Malicious reply-to email addresses"
description: "Detects inbound messages with reply-to headers containing known malicious email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
type: "rule"
severity: "high"
source: |
  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
  // Managed by automated IOC system
  false // no active IOCs - rule is temporarily disabled
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Impersonation: Email address"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "d9e0f1a2-b3c4-4d5e-8f6a-b7c8d9e0f1a2"