This rule detects inbound email messages where the sender’s root domain hash matches a known malicious root domain from an automatically managed IOC feed. It computes hash.sha256(sender.email.domain.root_domain) and checks membership in an IOC list that is automatically updated by a private threat intelligence pipeline. The IOC entries are not edited manually. If a match is found, the rule triggers with high severity. The rule targets campaigns that rely on domain impersonation and social engineering, including BEC, credential phishing, and malware/ransomware delivery vectors. Detection methods include sender analysis and header analysis, leveraging inbound network traffic data and domain-name context to identify suspicious origins. The rule is designed to flag attempts where attackers leverage trusted but malicious domains in inbound communications.