Detects inbound email messages originating from known malicious sender domains by comparing the SHA-256 hash of the sender's domain to an auto-managed IOC list. The IOCs are injected via an automated pipeline and are not manually edited. The rule evaluates type.inbound messages and uses hash.sha256(sender.email.domain.domain) in (list of hashed domains). It flags inbound communications that match these domains, supporting detections for BEC/Fraud, Credential Phishing, and Malware/Ransomware. Tactics include Domain Impersonation and Social Engineering; detection methods rely on sender/header analysis. The IOC list is maintained automatically to enable rapid updates without manual rule changes.