← Back to Explore
sublimehighRule
Observed IOC: Malicious domains in body links
Detects inbound messages containing links to known malicious domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.
Detection Query
// AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
// Managed by automated IOC system
type.inbound
and any(body.current_thread.links,
hash.sha256(.href_url.domain.domain) in (
'104b59a4731112a6ae479060f985b6ea2bdf026c2364066d8b4810c1fa591893', // Observed malicious credential phishing link domain
'217c4901d032661cb4b6cbfe89d73f7dfab3ea90df594c52e7b8b5f89f7addaf', // Observed malicious credential phishing link domain
'445753e02403e3c831b2790e7b07f18f99c9a822f4cb2ccd7d5bc1ab6ca7451c', // Observed malicious credential phishing link domain
'8be652e049830c8619e6495f550b85326491cec7b89d7718a8cbf9df635195a5', // Observed malicious credential phishing link domain
'97e023dc6c17e035ffad3753f361b4ef9bf06c502ef8746d2df92a2b6333d960', // Observed malicious credential phishing link domain
'a3258c1b4241a2e597c343ea46b6c0d287bc91d5c662d2c29cf42a6b29c07bed', // Observed malicious credential phishing link domain
'd0c1e10bdae01882db320da54ffe233b35b962cef5a703c0aa212931c95d2f9b', // Observed malicious credential phishing link domain
'db42baff2fd8669be0b3253a697a9d91ec3d8af1bd5387c70622fdc79f1d0526', // Observed malicious credential phishing link domain
'ea0d7829c0ab56a6bfdf97575a9881639b7dccc5b40acfbae094da1900bda9f5', // Observed malicious credential phishing link domain
'ebd6ee41423ffa71f8d1c34d2b7b37df421ac333cf44bde86c42c6a8d189f4ac', // Observed malicious credential phishing link domain
'fe5d28deb522bb09961654bae29b27f28b21f8709d1968546e4644d23c324093' // Observed malicious credential phishing link domain
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Observed IOC: Malicious domains in body links"
description: "Detects inbound messages containing links to known malicious domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
type: "rule"
severity: "high"
source: |
// AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
// Managed by automated IOC system
type.inbound
and any(body.current_thread.links,
hash.sha256(.href_url.domain.domain) in (
'104b59a4731112a6ae479060f985b6ea2bdf026c2364066d8b4810c1fa591893', // Observed malicious credential phishing link domain
'217c4901d032661cb4b6cbfe89d73f7dfab3ea90df594c52e7b8b5f89f7addaf', // Observed malicious credential phishing link domain
'445753e02403e3c831b2790e7b07f18f99c9a822f4cb2ccd7d5bc1ab6ca7451c', // Observed malicious credential phishing link domain
'8be652e049830c8619e6495f550b85326491cec7b89d7718a8cbf9df635195a5', // Observed malicious credential phishing link domain
'97e023dc6c17e035ffad3753f361b4ef9bf06c502ef8746d2df92a2b6333d960', // Observed malicious credential phishing link domain
'a3258c1b4241a2e597c343ea46b6c0d287bc91d5c662d2c29cf42a6b29c07bed', // Observed malicious credential phishing link domain
'd0c1e10bdae01882db320da54ffe233b35b962cef5a703c0aa212931c95d2f9b', // Observed malicious credential phishing link domain
'db42baff2fd8669be0b3253a697a9d91ec3d8af1bd5387c70622fdc79f1d0526', // Observed malicious credential phishing link domain
'ea0d7829c0ab56a6bfdf97575a9881639b7dccc5b40acfbae094da1900bda9f5', // Observed malicious credential phishing link domain
'ebd6ee41423ffa71f8d1c34d2b7b37df421ac333cf44bde86c42c6a8d189f4ac', // Observed malicious credential phishing link domain
'fe5d28deb522bb09961654bae29b27f28b21f8709d1968546e4644d23c324093' // Observed malicious credential phishing link domain
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "URL analysis"
- "Content analysis"
id: "e4f5a6b7-c8d9-4e1f-8a3b-c4d5e6f7a8b9"