[Test Rules] [PR #4350] added rule: Observed IOC: Malicious domains in body links

Author: github-actions[bot]

detection-rules/4350_observed_malicious_body_link_domains.yml

@@ -0,0 +1,27 @@
+name: "Observed IOC: Malicious domains in body links"
+description: "Detects inbound messages containing links to known malicious domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed."
+type: "rule"
+severity: "high"
+source: |
+  // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY
+  // Managed by automated IOC system
+  type.inbound
+  and any(body.current_thread.links,
+          hash.sha256(.href_url.domain.domain) in (
+            '358871a6a4b575d4943918cc1cb7cfc82b6c93eb7b926bee522bc97b013f8710', // Observed malicious domain in message body links
+            '96cf4453229b1cdcc1fd94d07260c037a57b999ea93d6b6f360f655305a4ad86' // Observed malicious domain in message body links
+          )
+  )// END AUTO-GENERATED
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "URL analysis"
+  - "Content analysis"
+id: "5240c3fe-f268-5c72-bf42-4d78ddbfeab6"
+og_id: "e4f5a6b7-c8d9-4e1f-8a3b-c4d5e6f7a8b9"
+testing_pr: 4350
+testing_sha: e969e4109eeb42fbb3209493a900e983cfd6a8c2