This rule detects inbound messages that contain links to known malicious domains. It relies on an automated IOC feed where domains are hashed (SHA-256) and compared against a small, curated set of obfuscated indicators. The condition checks type.inbound data and evaluates any links present in the current thread (body.current_thread.links). For each link, it hashes the domain portion (.href_url.domain.domain) and sees if the resulting hash matches one of the two configured IOC hashes. When a match occurs, the rule raises a high-severity alert. The IOC list is auto-managed and updated by the IOC pipeline, so manual edits are not performed. The rule supports phishing and malware-related threats by flagging links to malicious domains in messages. It employs URL analysis and content analysis to identify suspicious links, and aligns with evasion and social engineering techniques used in credential theft and malware distribution. The rule is designed to reduce exposure to link-based phishing and drive containment actions at the point of inbound communications. File path indicates it is an auto-generated YAML rule intended for automated IOC management and deployment in detection engines.