Observed IOC: Malicious sender domains

Apr 24, 2026 ·

Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Sublime rule (View on GitHub)

 1name: "Observed IOC: Malicious sender domains"
 2description: "Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and hash.sha256(sender.email.domain.domain) in (
10    '0a6141ede4cee26d2290785f273077a1c8fb02994b1ea8443b7a05bee9ed9660', // Observed malicious sender domain
11    '4329aaaa62552b1c483a0de41ed0e2e525b87ed31b4cfccae105ef38791a9ab6', // Observed malicious sender domain
12    'ae17c9b46750752e693bee15d77d940793862112ba2247f2f0506da9036dbe11', // Observed malicious sender domain
13    'beb77deb75c7ba96d7a2096dec8ade6e8b4ea5ec6c72afc9fae054479e98fffa', // Observed malicious sender domain
14    'e9c66e037a06bd8e1b07aff28f2e1644fc1684c294394a75d2c54ba1b0bc5b44', // Observed malicious sender domain
15    'f9c727407117deb36e64c54263731370aa49caafa7348a04b6af9daf1b99767d', // Observed malicious sender domain
16    'fd81a1ac33dca138eb203faa6d34bf1b446633b5a3b380927daabbbed9194c0c' // Observed malicious sender domain
17  )  
18
19attack_types:
20  - "BEC/Fraud"
21  - "Credential Phishing"
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "Impersonation: Domain"
25  - "Social engineering"
26detection_methods:
27  - "Sender analysis"
28  - "Header analysis"
29id: "c2d3e4f5-a6b7-4c9d-ae1f-a2b3c4d5e6f7"