← Back to Explore
sublimehighRule
Attachment: Filename containing Unicode right-to-left override character
Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters
Detection Query
type.inbound
and any(attachments,
regex.icontains(.file_name, '\x{202E}', '\x{202D}')
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.),
regex.icontains(.file_name, '\x{202E}', '\x{202D}')
)
)
)
Author
vector_sec
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Attachment: Filename containing Unicode right-to-left override character"
description: |
Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters
references:
- "https://redcanary.com/blog/right-to-left-override/"
- "https://sublimecommunity.slack.com/archives/C02N1F7FP7C/p1644411026329629"
type: "rule"
authors:
- twitter: "vector_sec"
severity: "high"
source: |
type.inbound
and any(attachments,
regex.icontains(.file_name, '\x{202E}', '\x{202D}')
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.),
regex.icontains(.file_name, '\x{202E}', '\x{202D}')
)
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "357c57a1-dd29-5ad8-ae2f-c4f4c6489575"