Detects inbound email messages whose reply-to header references domains that are known malicious according to an automatically managed IOC pipeline. The IOC list is hashed and ingested from a private threat intelligence feed, and the rule itself is auto-generated. As shown in the source header, there are no active IOCs at the moment, so the rule is temporarily disabled to avoid false positives. When enabled, the rule will compare the reply-to domain in incoming messages against the IOC list and trigger on matches. Applicable attack types include BEC/Fraud, Credential Phishing, and Malware/Ransomware, with tactics and techniques focusing on Impersonation: Domain and Social engineering. Detection methods rely on header analysis and sender analysis. The rule resides in an auto-generated path and uses the provided IOC pipeline for domain hashing and matching.