Detects inbound messages containing links to known malicious root domains by matching SHA-256 hashes of the links’ root domains against an automatically managed IOC list derived from a private threat intelligence feed. The rule evaluates inbound messages (type.inbound) and inspects body.current_thread.links, computing hash.sha256(.href_url.domain.root_domain) for each link. If any root domain hash matches one of the IOC hashes (e.g., '2b3a899b37c99e1be17799f8aa08cf09ba253fade16c0aa4aa5a92a28df3d492', 'bc470dca9be34cef8b0179168bf667fa4b2e2ea4e364e1b404033913bc8b11a0'), the rule triggers. The IOC list is automatically managed and not manually edited. This rule supports credential phishing and malware/ransomware campaigns and uses URL analysis and content analysis techniques, with a focus on evasion and social engineering. Severity is high. File path and metadata preserved for traceability.