sublimelowRule

Link: Display text with excessive right-to-left mark characters

Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

defense-evasion

Detection Query

type.inbound
and length(html.xpath(body.html, '//a').nodes) < 10
and any(html.xpath(body.html, '//a').nodes,
        regex.icontains(.inner_text, '(?:[A-Za-z]\x{200F}){2,}[A-Za-z]')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: Display text with excessive right-to-left mark characters"
description: "Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients."
type: "rule"
severity: "low"
source: |
  type.inbound
  and length(html.xpath(body.html, '//a').nodes) < 10
  and any(html.xpath(body.html, '//a').nodes,
          regex.icontains(.inner_text, '(?:[A-Za-z]\x{200F}){2,}[A-Za-z]')
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "URL analysis"
id: "a45cfd4c-3690-51a8-96b8-fb4daab18eca"