← Back to Explore
sublimemediumRule
Fake warning banner using confusable characters
Detects messages containing fake security banners that use visually similar characters to impersonate legitimate sender verification text, potentially to bypass security controls and deceive recipients.
Detection Query
type.inbound
and (
regex.contains(strings.replace_confusables(body.current_thread.text),
'This sender has been verified fro(?:m|rn) safe senders list'
)
or any(body.current_thread.banners,
regex.contains(strings.replace_confusables(.text),
'This sender has been verified fro(?:m|rn) safe senders list'
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Fake warning banner using confusable characters"
description: "Detects messages containing fake security banners that use visually similar characters to impersonate legitimate sender verification text, potentially to bypass security controls and deceive recipients."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
regex.contains(strings.replace_confusables(body.current_thread.text),
'This sender has been verified fro(?:m|rn) safe senders list'
)
or any(body.current_thread.banners,
regex.contains(strings.replace_confusables(.text),
'This sender has been verified fro(?:m|rn) safe senders list'
)
)
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
id: "179ee1ff-b9d3-572f-b7d9-466e58e81c75"