This rule detects inbound email events from known malicious senders by matching the SHA-256 hash of the sender's email address against an automatically managed IOC (Indicator of Compromise) list sourced from a private threat intelligence feed. The IOC list is hashed server-side to protect raw addresses and is updated automatically, avoiding manual edits. The rule triggers when type.inbound and hash.sha256(sender.email.email) is in the IOC set, covering attack types including BEC/Fraud, Credential Phishing, and Malware/Ransomware. Tactics include Impersonation: Email address and Social engineering, with detection methods focusing on Sender analysis and Header analysis. Deployment considerations include using at mail gateways or network perimeters and complementing with DKIM/SPF/DMARC validation to reduce false positives. Note potential impact on legitimate senders, so implement appropriate whitelisting and rate controls as needed.