This rule detects inbound email messages whose Reply-To header matches known malicious addresses retrieved from an automatically managed IOC feed. The IOC list is hashed and ingested by the private threat intelligence pipeline; detections rely on header analysis to compare the Reply-To field against the hashed IOC set, complemented by sender analysis to assess consistency with the purported sender. The rule is associated with BEC/Fraud, Credential Phishing, and Malware/Ransomware attack types, leveraging impersonation of an email address and social engineering as core tactics. Detection methods include Header analysis (parsing and comparing Reply-To) and Sender analysis (evaluating sender identity and alignment with header data). The rule is currently configured as high severity due to the potential impact of credential theft and malware delivery via fraudulent emails. Note that the source indicates there are no active IOCs and the rule is temporarily disabled, so no active detections will occur until the IOC pipeline provides active entries. If enabled, the rule can reduce risk by blocking or flagging messages that attempt to exploit trust via malicious Reply-To addresses. Limitations include dependence on IOC feed accuracy and timing, potential false positives in legitimate setups using non-standard Reply-To addresses, and the need for IOC pipeline synchronization with mail gateway workflows. Operational deployment should ensure IOC ingestion is active and that flagged messages trigger appropriate investigation and remediation workflows.