Observed IOC: Malicious sender domains

Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Sublime rule (View on GitHub)

 1name: "Observed IOC: Malicious sender domains"
 2description: "Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and hash.sha256(sender.email.domain.domain) in (
10    '049a4890de5dead7b5b968c191d56aba74e4d96c3712c6016142c6e00b0bb7b6', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
11    '28b686d3c7b091ebdda1373f58a16635f4dacaaa748d0a4f2175273a09662770', // Malicious Sender - Multiple Lures spaning multiple days
12    '344964b8f8ee23b4c5ebb446b85722abae2e15fa30a710219b348f21c4c03ac1', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
13    '6798365fdfb2f39074e58d4221541c778ba593a099ad3b334224a1f992a63313', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
14    '6f2681220ecf14f51e24f398daa4a0a5d8044fcccc67969bcfa5254e803b082c', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
15    '90d3c2c031a19cd887556d924842fb4300dc3890429e9da2b5c267a862be7f9b', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
16    'bc0b660d1726f95579835f2694c4f58c656f431fbbc810c7fc4d19f2b2a177d7', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
17    'd758b32f46a81a66e5844fc072486b6860625aea5a79e3051cf9df00a47c3f5d', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
18    'de9e07c5b87055b27e8419cfd89485c7b374deec228dc51d6aa710c68de27965', // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
19    'ec74a3b1b533fa08aada394224a5fc46a60f02a84950d8085885dd0d61e9e9dd' // Sender domain used in VIP-impersonation invoice/payment BEC with fabricated reply threads
20  )  
21
22attack_types:
23  - "BEC/Fraud"
24  - "Credential Phishing"
25  - "Malware/Ransomware"
26tactics_and_techniques:
27  - "Impersonation: Domain"
28  - "Social engineering"
29detection_methods:
30  - "Sender analysis"
31  - "Header analysis"
32id: "c2d3e4f5-a6b7-4c9d-ae1f-a2b3c4d5e6f7"
to-top