← Back to Explore
sublimemediumRule
Body: Invisible Unicode obfuscation student loan callback phishing
Detects messages containing clusters of Unicode zero-width and invisible characters (such as LRM, RLM, zero-width space, BOM, and directional isolates) interspersed within digit sequences and body content matching 'student loan' patterns. This technique is used to obscure text from security filters while remaining visually coherent to recipients.
Detection Query
type.inbound
and regex.contains(body.html.raw,
'(\x{2065}|\x{200E}|\x{200F}|\x{2066}|\x{2067}|\x{2068}|\x{2069}|\x{200B}|\x{200C}|\x{200D}|\x{FEFF}){3}'
)
and regex.contains(body.html.raw,
'\d[\x{200E}\x{200F}\x{200B}\x{200C}\x{200D}\x{2065}\x{FEFF}]{1,6}\d'
)
and regex.icontains(body.html.raw,
's.{0,6}t.{0,6}u.{0,6}d.{0,6}e.{0,6}n.{0,6}t.{0,10}l.{0,6}o.{0,6}a.{0,6}n'
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Body: Invisible Unicode obfuscation student loan callback phishing"
description: "Detects messages containing clusters of Unicode zero-width and invisible characters (such as LRM, RLM, zero-width space, BOM, and directional isolates) interspersed within digit sequences and body content matching 'student loan' patterns. This technique is used to obscure text from security filters while remaining visually coherent to recipients."
type: "rule"
severity: "medium"
source: |
type.inbound
and regex.contains(body.html.raw,
'(\x{2065}|\x{200E}|\x{200F}|\x{2066}|\x{2067}|\x{2068}|\x{2069}|\x{200B}|\x{200C}|\x{200D}|\x{FEFF}){3}'
)
and regex.contains(body.html.raw,
'\d[\x{200E}\x{200F}\x{200B}\x{200C}\x{200D}\x{2065}\x{FEFF}]{1,6}\d'
)
and regex.icontains(body.html.raw,
's.{0,6}t.{0,6}u.{0,6}d.{0,6}e.{0,6}n.{0,6}t.{0,10}l.{0,6}o.{0,6}a.{0,6}n'
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
- "Spam"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "HTML analysis"
- "Content analysis"
id: "6b951465-0566-58e4-b29e-d0bc998adca0"