Observed IOC: Malicious sender email addresses

calendar Apr 24, 2026  ·
Share on: linkedin copy

Detects inbound messages from known malicious sender email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Sublime rule (View on GitHub)

 1name: "Observed IOC: Malicious sender email addresses"
 2description: "Detects inbound messages from known malicious sender email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and hash.sha256(sender.email.email) in (
10    '0cb0ec45f1392918c2f720f262df8883ae5feb7f3f7fcab3e39a0c659dd29e55', // Observed malicious sender
11    '5b5be14defe0402d391348747d654cefa42685470bcea9080c1db55a7beacddb', // Observed malicious sender email
12    'c95e3bd1bf9cbd95ddef3c0516683f5b0f8c1f5e05ea4ceb35e81896bc7b27c7' // Observed malicious sender impersonating Google Workspace team
13  )  
14
15attack_types:
16  - "BEC/Fraud"
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Impersonation: Email address"
21  - "Social engineering"
22detection_methods:
23  - "Sender analysis"
24  - "Header analysis"
25id: "b1c2d3e4-f5a6-4b8c-9d0e-f1a2b3c4d5e6"
to-top