Observed IOC: Malicious domains in body links

calendar May 7, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links to known malicious domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Sublime rule (View on GitHub)

 1name: "Observed IOC: Malicious domains in body links"
 2description: "Detects inbound messages containing links to known malicious domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and any(body.current_thread.links,
10          hash.sha256(.href_url.domain.domain) in (
11            '104b59a4731112a6ae479060f985b6ea2bdf026c2364066d8b4810c1fa591893', // Observed malicious credential phishing link domain
12            '217c4901d032661cb4b6cbfe89d73f7dfab3ea90df594c52e7b8b5f89f7addaf', // Observed malicious credential phishing link domain
13            '358871a6a4b575d4943918cc1cb7cfc82b6c93eb7b926bee522bc97b013f8710', // Observed malicious domain in message body links
14            '445753e02403e3c831b2790e7b07f18f99c9a822f4cb2ccd7d5bc1ab6ca7451c', // Observed malicious credential phishing link domain
15            '8be652e049830c8619e6495f550b85326491cec7b89d7718a8cbf9df635195a5', // Observed malicious credential phishing link domain
16            '96cf4453229b1cdcc1fd94d07260c037a57b999ea93d6b6f360f655305a4ad86', // Observed malicious domain in message body links
17            '97e023dc6c17e035ffad3753f361b4ef9bf06c502ef8746d2df92a2b6333d960', // Observed malicious credential phishing link domain
18            'a3258c1b4241a2e597c343ea46b6c0d287bc91d5c662d2c29cf42a6b29c07bed', // Observed malicious credential phishing link domain
19            'd0c1e10bdae01882db320da54ffe233b35b962cef5a703c0aa212931c95d2f9b', // Observed malicious credential phishing link domain
20            'db42baff2fd8669be0b3253a697a9d91ec3d8af1bd5387c70622fdc79f1d0526', // Observed malicious credential phishing link domain
21            'ea0d7829c0ab56a6bfdf97575a9881639b7dccc5b40acfbae094da1900bda9f5', // Observed malicious credential phishing link domain
22            'ebd6ee41423ffa71f8d1c34d2b7b37df421ac333cf44bde86c42c6a8d189f4ac', // Observed malicious credential phishing link domain
23            'fe5d28deb522bb09961654bae29b27f28b21f8709d1968546e4644d23c324093' // Observed malicious credential phishing link domain
24          )
25  )  
26
27attack_types:
28  - "Credential Phishing"
29  - "Malware/Ransomware"
30tactics_and_techniques:
31  - "Evasion"
32  - "Social engineering"
33detection_methods:
34  - "URL analysis"
35  - "Content analysis"
36id: "e4f5a6b7-c8d9-4e1f-8a3b-c4d5e6f7a8b9"
to-top