Observed IOC: Malicious sender root domains

Detects inbound messages sent from known malicious sender root domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Sublime rule (View on GitHub)

 1name: "Observed IOC: Malicious sender root domains"
 2description: "Detects inbound messages sent from known malicious sender root domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and hash.sha256(sender.email.domain.root_domain) in (
10    '0d5c8fb81fbe42f919341fc80f73437d1077d70f9da986e5719bd68274b42626', // Brand impersonation giveaways with AFF
11    '3e09e73578196179a054606834b0cd7172a619f5e4702f2424dfbd0ab4d79786', // Brand impersonation giveaways with AFF
12    '62241b7477485898cdb45d9814693e9cb4989ee7bd65c2c3e205a91b84cf3fec', // Brand impersonation giveaways with AFF
13    '674b7cb4df4d9e115dd57ad0eb8227f6bb7719ef596c17a7443883718632c6ff', // Brand impersonation giveaways with AFF
14    '724eba9594f52e2aeaed2e58926f8c52048accc44a15ecc0bdb5a0a101dbc268', // Brand impersonation giveaways with AFF
15    '91d0721e7cf3646224f8e95f6b5582b83a13c483eb56423bfb585af6392df11b', // Brand impersonation giveaways with AFF
16    'a8c8b0ee7c69c310e54d8710c3575a9e1de9a2950e6ed1806c1fe60e6cb63d36', // Brand impersonation giveaways with AFF
17    'ae7ef98abc59eabb4d6ee22444c16d791f49505ea657c37f4ff5846b273cb30d', // Brand impersonation giveaways with AFF
18    'e1bbb6342ed70324f41fd3b3e5f6694f28af4aa24bac67b6634daecf18acbc78', // Brand impersonation giveaways with AFF
19    'e4beaafe95cdcf3d596eefa2006e77eb826efae12a693fdf83c6c8c43d92c29f' // Brand impersonation giveaways with AFF
20  )  
21
22attack_types:
23  - "BEC/Fraud"
24  - "Credential Phishing"
25  - "Malware/Ransomware"
26tactics_and_techniques:
27  - "Impersonation: Domain"
28  - "Social engineering"
29detection_methods:
30  - "Sender analysis"
31  - "Header analysis"
32id: "d3e4f5a6-b7c8-4d0e-bf2a-b3c4d5e6f7a8"
to-top