From 1faff7cbb8da75251a1abbfad7e44666434d38de Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 22 May 2026 00:57:16 +0000
Subject: [PATCH 1/3] chore: Update IOC rule - Observed IOC: Malicious sender
 email addresses

---
 detection-rules/observed_malicious_sender_emails.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/detection-rules/observed_malicious_sender_emails.yml b/detection-rules/observed_malicious_sender_emails.yml
index 82cd2969842..4e9ce779073 100644
--- a/detection-rules/observed_malicious_sender_emails.yml
+++ b/detection-rules/observed_malicious_sender_emails.yml
@@ -7,10 +7,8 @@ source: |
   // Managed by automated IOC system
   type.inbound
   and hash.sha256(sender.email.email) in (
-    '0cb0ec45f1392918c2f720f262df8883ae5feb7f3f7fcab3e39a0c659dd29e55', // Observed malicious sender
     '284bc29a19d2f97642e3e69e0b5f6bac0d425b6a25827b9947aec4fb5faac812', // Observed malicious sender
     '4d0f2dc143055878708d4a8587acd7880d9f2cb64037abefd9e8b140429c4d61', // Observed malicious sender
-    '5b5be14defe0402d391348747d654cefa42685470bcea9080c1db55a7beacddb', // Observed malicious sender email
     '77eb1e845faaef33b55023bf10fa643206e8620c49d5d1f4eba9d7d5882093f0', // Observed malciiouc sender, AFF and fake zoom meetings
     '7affbe4b711761fcbeea34fafe0df6d217463064e60510e12af92b57dbfbf186', // Observed malicious sender
     '8d6bf7faaf7190b52d0e7a079cd71228e2d1a20a6fac7749b23226181fe57b7f', // Observed malicious sender

From 15e3358c38677c2dbae17afe2be4c05a1113bbd5 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 25 May 2026 00:59:14 +0000
Subject: [PATCH 2/3] chore: Update IOC rule - Observed IOC: Malicious root
 domains in body links

---
 .../observed_malicious_body_link_root_domains.yml         | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/detection-rules/observed_malicious_body_link_root_domains.yml b/detection-rules/observed_malicious_body_link_root_domains.yml
index b76073271f4..fe20fe2b000 100644
--- a/detection-rules/observed_malicious_body_link_root_domains.yml
+++ b/detection-rules/observed_malicious_body_link_root_domains.yml
@@ -5,13 +5,7 @@ severity: "high"
 source: |
   // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
   // Managed by automated IOC system
-  type.inbound
-  and any(body.current_thread.links,
-          hash.sha256(.href_url.domain.root_domain) in (
-            '2b3a899b37c99e1be17799f8aa08cf09ba253fade16c0aa4aa5a92a28df3d492', // Invoice themed cred theft
-            'bc470dca9be34cef8b0179168bf667fa4b2e2ea4e364e1b404033913bc8b11a0' // Encrypted Message fake Dropbox Lure
-          )
-  )
+  false // no active IOCs - rule is temporarily disabled
 
 attack_types:
   - "Credential Phishing"

From 54e9abfc46369258fe4857dd84db5af2b2eadbd9 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 25 May 2026 00:59:14 +0000
Subject: [PATCH 3/3] chore: Update IOC rule - Observed IOC: Malicious sender
 domains

---
 detection-rules/observed_malicious_sender_domains.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/detection-rules/observed_malicious_sender_domains.yml b/detection-rules/observed_malicious_sender_domains.yml
index 404e0de9e2e..a7631456e66 100644
--- a/detection-rules/observed_malicious_sender_domains.yml
+++ b/detection-rules/observed_malicious_sender_domains.yml
@@ -24,11 +24,9 @@ source: |
     'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
     'a48480f4977e425042f14b2b6e9c379c7ecf913211d11f6d605cf5009a5a0bbe', // Malicious Sender - Fake Investment phishing
     'a5b43bc33d73ce5271e0fc5de835e0447891cf03c4afec52d3e9f9f64e0dab49', // Malicious Sender Observed - Fake Investment Phishing
-    'ae17c9b46750752e693bee15d77d940793862112ba2247f2f0506da9036dbe11', // Observed malicious sender domain
     'bbdbb3c2eb9a4844abce22abd9ebe8315a18e2d7a4c58c37c15b572e3ddbcac1', // Malicious Sender Observed - Fake Investment Phishing
     'cd53341855f7ab0ebb852bdb74d1305e1a7720a8b388d5cac6aee7583738ad1f', // Malicious Sender Observed - Fake Investment Phishing
     'd2f634bdb8d7cbe7d68ed88e5d4e82d733d167fabaef3dcf9e9b74ac732cfef3', // Malicious Sender Observed - Fake Investment Phishing
-    'e9c66e037a06bd8e1b07aff28f2e1644fc1684c294394a75d2c54ba1b0bc5b44', // Observed malicious sender domain
     'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
     'ee275dbc838ad90d2039bcc3ac43419823e10efd9bbd428a673f84e23f3b3eac', // Malicious Sender - Fake Investment phishing
     'f6b617570c13f90125ad3bd8dfcd445dc3a72472cca869b81344f39f0cc63b8c', // Malicious Sender Observed - Fake Investment Phishing