Observed IOC: Malicious sender email addresses
Detects inbound messages from known malicious sender email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.
Sublime rule (View on GitHub)
1name: "Observed IOC: Malicious sender email addresses"
2description: "Detects inbound messages from known malicious sender email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
3type: "rule"
4severity: "high"
5source: |
6 // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
7 // Managed by automated IOC system
8 type.inbound
9 and hash.sha256(sender.email.email) in (
10 '0cb0ec45f1392918c2f720f262df8883ae5feb7f3f7fcab3e39a0c659dd29e55', // Observed malicious sender
11 '284bc29a19d2f97642e3e69e0b5f6bac0d425b6a25827b9947aec4fb5faac812', // Observed malicious sender
12 '4d0f2dc143055878708d4a8587acd7880d9f2cb64037abefd9e8b140429c4d61', // Observed malicious sender
13 '5b5be14defe0402d391348747d654cefa42685470bcea9080c1db55a7beacddb', // Observed malicious sender email
14 '77eb1e845faaef33b55023bf10fa643206e8620c49d5d1f4eba9d7d5882093f0', // Observed malciiouc sender, AFF and fake zoom meetings
15 '7affbe4b711761fcbeea34fafe0df6d217463064e60510e12af92b57dbfbf186', // Observed malicious sender
16 '8d6bf7faaf7190b52d0e7a079cd71228e2d1a20a6fac7749b23226181fe57b7f', // Observed malicious sender
17 '9fed4647a02202737b9c642f2fd764ec1d679e0510caaa749744c5f25dc07f8f', // Observed malicious sender
18 'd3193407cf75baf52783c7bfc1929e7c968cd71d113c12cba0b4b31e68dce8ff' // Observed malicious sender
19 )
20
21attack_types:
22 - "BEC/Fraud"
23 - "Credential Phishing"
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "Impersonation: Email address"
27 - "Social engineering"
28detection_methods:
29 - "Sender analysis"
30 - "Header analysis"
31id: "b1c2d3e4-f5a6-4b8c-9d0e-f1a2b3c4d5e6"