Observed IOC: Malicious sender domains

 1name: "Observed IOC: Malicious sender domains"
 2description: "Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and hash.sha256(sender.email.domain.domain) in (
10    '31b3ad77a8d0c9e808620aa13a714703ecb1447aab96e9728256fdb320d02b94', // Malicious Sender Observed - Fake Investment Phishing
11    '32162c01a405aac2862c06917563a5c602490d04c885f4bf1e19fc755aee1a49', // Malicious Sender Observed - Fake Investment Phishing
12    '4148bbc8c4290f37a6c4287ff1825702a76b8d3c56ffdbbf60bd7caf83ac0cd7', // Malicious Sender Observed - Fake Investment Phishing
13    '474d832968657bdd6413125a433a4d2383c5541aa98389eb1cb5101076d835f2', // Malicious Sender - Fake Investment phishing
14    '474d832968657bdd6413125a433a4d2383c5541aa98389eb1cb5101076d835f2', // Malicious Sender - Fake Investment phishing
15    '53cdb6a96d07000b264424868f28564826567f2ec9b98f168982ed5c00ac73d0', // Malicious Sender Observed - Fake Investment Phishing
16    '664186e4b85b8d398d1d6adca6be413bf885c446cea1aad92805f0eb7ea3b06f', // Malicious Sender Observed - Fake Investment Phishing
17    '6c55da6d7e08986dd61d6e85ec7ccdaf632b0655cd3faa5b7345bd36feaefdbd', // Malicious Sender Observed - Fake Investment Phishing
18    '779ec0285d40312e71048ff8816996c8ca58321d283135e4058306407deb7d89', // Malicious Sender - Fake Investment phishing
19    '779ec0285d40312e71048ff8816996c8ca58321d283135e4058306407deb7d89', // Malicious Sender - Fake Investment phishing
20    '96b900c0976abd5a44b474e78f99b052b06e60490a68b4ada0822f7e3d5ebd86', // Malicious Sender - Fake Investment phishing
21    '96b900c0976abd5a44b474e78f99b052b06e60490a68b4ada0822f7e3d5ebd86', // Malicious Sender - Fake Investment phishing
22    'a06cc80cd1ab962012feb626443397f1a62c328bcae6449406a0ac1e23a1d977', // Malicious Sender Observed - Fake Investment Phishing
23    'a0e396a21badb0832c85f4d77e62f2063a23a5673f5e856610a2f80764801132', // Malicious Sender Observed - Fake Investment Phishing
24    'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
25    'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
26    'a5b43bc33d73ce5271e0fc5de835e0447891cf03c4afec52d3e9f9f64e0dab49', // Malicious Sender Observed - Fake Investment Phishing
27    'ae17c9b46750752e693bee15d77d940793862112ba2247f2f0506da9036dbe11', // Observed malicious sender domain
28    'bbdbb3c2eb9a4844abce22abd9ebe8315a18e2d7a4c58c37c15b572e3ddbcac1', // Malicious Sender Observed - Fake Investment Phishing
29    'cd53341855f7ab0ebb852bdb74d1305e1a7720a8b388d5cac6aee7583738ad1f', // Malicious Sender Observed - Fake Investment Phishing
30    'd2f634bdb8d7cbe7d68ed88e5d4e82d733d167fabaef3dcf9e9b74ac732cfef3', // Malicious Sender Observed - Fake Investment Phishing
31    'e9c66e037a06bd8e1b07aff28f2e1644fc1684c294394a75d2c54ba1b0bc5b44', // Observed malicious sender domain
32    'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
33    'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
34    'f6b617570c13f90125ad3bd8dfcd445dc3a72472cca869b81344f39f0cc63b8c', // Malicious Sender Observed - Fake Investment Phishing
35    'ff242a5a574b77b143a1a2953e56a86c916794fd71d27033493a7d0aade24890' // Malicious Sender Observed - Fake Investment Phishing
36  )  
37
38attack_types:
39  - "BEC/Fraud"
40  - "Credential Phishing"
41  - "Malware/Ransomware"
42tactics_and_techniques:
43  - "Impersonation: Domain"
44  - "Social engineering"
45detection_methods:
46  - "Sender analysis"
47  - "Header analysis"
48id: "c2d3e4f5-a6b7-4c9d-ae1f-a2b3c4d5e6f7"