Technical summary: This rule monitors inbound email messages for reply-to (Reply-To) header domains that match a curated list of known malicious root domains sourced from a private threat intelligence feed. The IOC pipeline automatically manages and hashes the indicators to preserve privacy. The rule is currently disabled in the source with a directive indicating no active IOCs at the moment. When active, the rule would trigger on inbound messages where the Reply-To domain corresponds to a hashed malicious root domain, using header analysis (and sender analysis) to corroborate the domain impersonation. The rule is aligned with BEC/Fraud, credential phishing, and malware/ransomware campaigns, leveraging impersonation: domain and social engineering techniques. This rule integrates with a Domain Name data source and detection methods focused on header and sender information. The rule ID is provided for traceability, and the rule file path indicates its autos-generated nature.