Observed IOC: Malicious sender domains

 1name: "Observed IOC: Malicious sender domains"
 2description: "Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and hash.sha256(sender.email.domain.domain) in (
10    '0a6141ede4cee26d2290785f273077a1c8fb02994b1ea8443b7a05bee9ed9660', // Observed malicious sender domain
11    '31b3ad77a8d0c9e808620aa13a714703ecb1447aab96e9728256fdb320d02b94', // Malicious Sender Observed - Fake Investment Phishing
12    '32162c01a405aac2862c06917563a5c602490d04c885f4bf1e19fc755aee1a49', // Malicious Sender Observed - Fake Investment Phishing
13    '4148bbc8c4290f37a6c4287ff1825702a76b8d3c56ffdbbf60bd7caf83ac0cd7', // Malicious Sender Observed - Fake Investment Phishing
14    '4329aaaa62552b1c483a0de41ed0e2e525b87ed31b4cfccae105ef38791a9ab6', // Observed malicious sender domain
15    '474d832968657bdd6413125a433a4d2383c5541aa98389eb1cb5101076d835f2', // Malicious Sender - Fake Investment phishing
16    '474d832968657bdd6413125a433a4d2383c5541aa98389eb1cb5101076d835f2', // Malicious Sender - Fake Investment phishing
17    '53cdb6a96d07000b264424868f28564826567f2ec9b98f168982ed5c00ac73d0', // Malicious Sender Observed - Fake Investment Phishing
18    '664186e4b85b8d398d1d6adca6be413bf885c446cea1aad92805f0eb7ea3b06f', // Malicious Sender Observed - Fake Investment Phishing
19    '6c55da6d7e08986dd61d6e85ec7ccdaf632b0655cd3faa5b7345bd36feaefdbd', // Malicious Sender Observed - Fake Investment Phishing
20    '779ec0285d40312e71048ff8816996c8ca58321d283135e4058306407deb7d89', // Malicious Sender - Fake Investment phishing
21    '779ec0285d40312e71048ff8816996c8ca58321d283135e4058306407deb7d89', // Malicious Sender - Fake Investment phishing
22    '96b900c0976abd5a44b474e78f99b052b06e60490a68b4ada0822f7e3d5ebd86', // Malicious Sender - Fake Investment phishing
23    '96b900c0976abd5a44b474e78f99b052b06e60490a68b4ada0822f7e3d5ebd86', // Malicious Sender - Fake Investment phishing
24    'a06cc80cd1ab962012feb626443397f1a62c328bcae6449406a0ac1e23a1d977', // Malicious Sender Observed - Fake Investment Phishing
25    'a0e396a21badb0832c85f4d77e62f2063a23a5673f5e856610a2f80764801132', // Malicious Sender Observed - Fake Investment Phishing
26    'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
27    'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
28    'a5b43bc33d73ce5271e0fc5de835e0447891cf03c4afec52d3e9f9f64e0dab49', // Malicious Sender Observed - Fake Investment Phishing
29    'ae17c9b46750752e693bee15d77d940793862112ba2247f2f0506da9036dbe11', // Observed malicious sender domain
30    'bbdbb3c2eb9a4844abce22abd9ebe8315a18e2d7a4c58c37c15b572e3ddbcac1', // Malicious Sender Observed - Fake Investment Phishing
31    'beb77deb75c7ba96d7a2096dec8ade6e8b4ea5ec6c72afc9fae054479e98fffa', // Observed malicious sender domain
32    'cd53341855f7ab0ebb852bdb74d1305e1a7720a8b388d5cac6aee7583738ad1f', // Malicious Sender Observed - Fake Investment Phishing
33    'd2f634bdb8d7cbe7d68ed88e5d4e82d733d167fabaef3dcf9e9b74ac732cfef3', // Malicious Sender Observed - Fake Investment Phishing
34    'e9c66e037a06bd8e1b07aff28f2e1644fc1684c294394a75d2c54ba1b0bc5b44', // Observed malicious sender domain
35    'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
36    'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
37    'f6b617570c13f90125ad3bd8dfcd445dc3a72472cca869b81344f39f0cc63b8c', // Malicious Sender Observed - Fake Investment Phishing
38    'f9c727407117deb36e64c54263731370aa49caafa7348a04b6af9daf1b99767d', // Observed malicious sender domain
39    'fd81a1ac33dca138eb203faa6d34bf1b446633b5a3b380927daabbbed9194c0c', // Observed malicious sender domain
40    'ff242a5a574b77b143a1a2953e56a86c916794fd71d27033493a7d0aade24890' // Malicious Sender Observed - Fake Investment Phishing
41  )  
42
43attack_types:
44  - "BEC/Fraud"
45  - "Credential Phishing"
46  - "Malware/Ransomware"
47tactics_and_techniques:
48  - "Impersonation: Domain"
49  - "Social engineering"
50detection_methods:
51  - "Sender analysis"
52  - "Header analysis"
53id: "c2d3e4f5-a6b7-4c9d-ae1f-a2b3c4d5e6f7"