Observed IOC: Malicious root domains in body links

calendar Apr 24, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links to known malicious root domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Sublime rule (View on GitHub)

 1name: "Observed IOC: Malicious root domains in body links"
 2description: "Detects inbound messages containing links to known malicious root domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and any(body.current_thread.links,
10          hash.sha256(.href_url.domain.root_domain) in (
11            '2b3a899b37c99e1be17799f8aa08cf09ba253fade16c0aa4aa5a92a28df3d492', // Invoice themed cred theft
12            'bc470dca9be34cef8b0179168bf667fa4b2e2ea4e364e1b404033913bc8b11a0' // Encrypted Message fake Dropbox Lure
13          )
14  )  
15
16attack_types:
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Evasion"
21  - "Social engineering"
22detection_methods:
23  - "URL analysis"
24  - "Content analysis"
25id: "f5a6b7c8-d9e0-4f2a-9b4c-d5e6f7a8b9c0"
to-top