EXPLORE
← Back to Explore
sublimemediumRule

Body: Invisible Unicode obfuscation student loan callback phishing

Detects messages containing clusters of Unicode zero-width and invisible characters (such as LRM, RLM, zero-width space, BOM, and directional isolates) interspersed within digit sequences and body content matching 'student loan' patterns. This technique is used to obscure text from security filters while remaining visually coherent to recipients.

MITRE ATT&CK

defense-evasioninitial-access

Detection Query

type.inbound
and regex.contains(body.html.raw,
                   '(\x{2065}|\x{200E}|\x{200F}|\x{2066}|\x{2067}|\x{2068}|\x{2069}|\x{200B}|\x{200C}|\x{200D}|\x{FEFF}){3}'
)
and regex.contains(body.html.raw,
                   '\d[\x{200E}\x{200F}\x{200B}\x{200C}\x{200D}\x{2065}\x{FEFF}]{1,6}\d'
)
and regex.icontains(body.html.raw,
                    's.{0,6}t.{0,6}u.{0,6}d.{0,6}e.{0,6}n.{0,6}t.{0,10}l.{0,6}o.{0,6}a.{0,6}n'
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Body: Invisible Unicode obfuscation student loan callback phishing"
description: "Detects messages containing clusters of Unicode zero-width and invisible characters (such as LRM, RLM, zero-width space, BOM, and directional isolates) interspersed within digit sequences and body content matching 'student loan' patterns. This technique is used to obscure text from security filters while remaining visually coherent to recipients."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and regex.contains(body.html.raw,
                     '(\x{2065}|\x{200E}|\x{200F}|\x{2066}|\x{2067}|\x{2068}|\x{2069}|\x{200B}|\x{200C}|\x{200D}|\x{FEFF}){3}'
  )
  and regex.contains(body.html.raw,
                     '\d[\x{200E}\x{200F}\x{200B}\x{200C}\x{200D}\x{2065}\x{FEFF}]{1,6}\d'
  )
  and regex.icontains(body.html.raw,
                      's.{0,6}t.{0,6}u.{0,6}d.{0,6}e.{0,6}n.{0,6}t.{0,10}l.{0,6}o.{0,6}a.{0,6}n'
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Spam"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "HTML analysis"
  - "Content analysis"
id: "6b951465-0566-58e4-b29e-d0bc998adca0"