Observed IOC: Malicious reply-to email addresses

calendar Apr 27, 2026  ·
Share on: linkedin copy

Detects inbound messages with reply-to headers containing known malicious email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Sublime rule (View on GitHub)

 1name: "Observed IOC: Malicious reply-to email addresses"
 2description: "Detects inbound messages with reply-to headers containing known malicious email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  false // no active IOCs - rule is temporarily disabled  
 9attack_types:
10  - "BEC/Fraud"
11  - "Credential Phishing"
12  - "Malware/Ransomware"
13tactics_and_techniques:
14  - "Impersonation: Email address"
15  - "Social engineering"
16detection_methods:
17  - "Header analysis"
18  - "Sender analysis"
19id: "d9e0f1a2-b3c4-4d5e-8f6a-b7c8d9e0f1a2"
to-top