Observed IOC: Malicious sender root domains

calendar Apr 24, 2026  ·
Share on: linkedin copy

Detects inbound messages sent from known malicious sender root domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Sublime rule (View on GitHub)

 1name: "Observed IOC: Malicious sender root domains"
 2description: "Detects inbound messages sent from known malicious sender root domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
 3type: "rule"
 4severity: "high"
 5source: |
 6  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
 7  // Managed by automated IOC system
 8  type.inbound
 9  and hash.sha256(sender.email.domain.root_domain) in (
10    'bca881482859b1d19364b40f36d9287fc56a073266ea2a6800f3f48cd927535f', // Subscription renewal callback
11    'fed6d9c30d5d05ac9112171af40e3f217d546d89af8ff60fd0a7f05ba423aa06' // Subscription renewal callback
12  )  
13
14attack_types:
15  - "BEC/Fraud"
16  - "Credential Phishing"
17  - "Malware/Ransomware"
18tactics_and_techniques:
19  - "Impersonation: Domain"
20  - "Social engineering"
21detection_methods:
22  - "Sender analysis"
23  - "Header analysis"
24id: "d3e4f5a6-b7c8-4d0e-bf2a-b3c4d5e6f7a8"
to-top