Update observed IOC rules - 2026-06-19 (#4704)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

detection-rules/observed_malicious_sender_domains.yml

@@ -7,7 +7,10 @@ source: |
   // Managed by automated IOC system
   type.inbound
   and hash.sha256(sender.email.domain.domain) in (
-    '28b686d3c7b091ebdda1373f58a16635f4dacaaa748d0a4f2175273a09662770' // Malicious Sender - Multiple Lures spaning multiple days
+    '28b686d3c7b091ebdda1373f58a16635f4dacaaa748d0a4f2175273a09662770', // Malicious Sender - Multiple Lures spaning multiple days
+    '485e31e6b5bb45a44e24eb69ce3daafc6ea335b5d387e80684298a5397358840', // Observed compromised account
+    '6a6070cb3594362b3c54d21006450be34222dc578acbc97b357f946d8d564471', // Observed compromised account
+    '7606728ae9565e84698ddba62e40a35865ec7edbd5ca7710d8a7182768dc439d' // Observed compromised account
   )
 
 attack_types:

detection-rules/observed_malicious_sender_emails.yml

@@ -8,10 +8,8 @@ source: |
   type.inbound
   and hash.sha256(sender.email.email) in (
     '4ee49251788e4434160029e76e7c168432a1d5df45177b8c113a60562b2f4743', // Observed malicious sender
-    '7affbe4b711761fcbeea34fafe0df6d217463064e60510e12af92b57dbfbf186', // Observed malicious sender
     '8030cd12e522cf160c85171bfaee999d095e79bd66815d4604f5e4406a1c566c', // Observed malicious sender - multiple cred phish lures
-    'b2051a0fd6b19df331f4ee71671c8a6fc621544fb046574edd8233a585247d0a', // Observed malicious sender
-    'd3193407cf75baf52783c7bfc1929e7c968cd71d113c12cba0b4b31e68dce8ff' // Observed malicious sender
+    'b2051a0fd6b19df331f4ee71671c8a6fc621544fb046574edd8233a585247d0a' // Observed malicious sender
   )
 
 attack_types: