← Back to Explore
sublimemediumRule
Cyrillic vowel substitution in subject or display name from unknown sender
This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.
Detection Query
type.inbound
// message contains between 1 and 9 links
and (
0 < length(body.links) < 10
or (
length(body.links) == 0
and length(attachments) > 0
and body.current_thread.text == ""
)
)
// display name or subject contains Cyrillic vowels in addition to standard letters
and any([subject.subject, sender.display_name],
regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
)
// and the senders tld or return path is not "ru"
and not (
sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
)
// and the return path is not 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
and not headers.return_path.domain.domain == 'bounce.dataminr.com'
and not headers.return_path.domain.domain == 'mail-us.atlassian.net'
// the message is unsolicited and no false positives
and (
not profile.by_sender().solicited
or (
length(headers.reply_to) > 0
and all(headers.reply_to, .email.email not in $recipient_emails)
)
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Cyrillic vowel substitution in subject or display name from unknown sender"
description: "This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails."
type: "rule"
severity: "medium"
source: |
type.inbound
// message contains between 1 and 9 links
and (
0 < length(body.links) < 10
or (
length(body.links) == 0
and length(attachments) > 0
and body.current_thread.text == ""
)
)
// display name or subject contains Cyrillic vowels in addition to standard letters
and any([subject.subject, sender.display_name],
regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
)
// and the senders tld or return path is not "ru"
and not (
sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
)
// and the return path is not 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
and not headers.return_path.domain.domain == 'bounce.dataminr.com'
and not headers.return_path.domain.domain == 'mail-us.atlassian.net'
// the message is unsolicited and no false positives
and (
not profile.by_sender().solicited
or (
length(headers.reply_to) > 0
and all(headers.reply_to, .email.email not in $recipient_emails)
)
)
and not profile.by_sender().any_messages_benign
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
- "Spoofing"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "74bc0b0c-891d-53c8-ae01-bc12018c5624"