sublimehighRule

Punycode sender domain

The sender's domain contains punycode, a technique used by attackers to impersonate legitimate domains.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486 T1036 T1027 T1583.001

defense-evasioninitial-access

Detection Query

type.inbound
and strings.ilike(sender.email.domain.domain, "*xn--*")

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

Raw Content

name: Punycode sender domain
description: |
  The sender's domain contains punycode, a technique
  used by attackers to impersonate legitimate domains.
references:
  - "https://cybersecurityventures.com/beware-of-lookalike-domains-in-punycode-phishing-attacks/"
  - "https://twitter.com/krabsonsecurity/status/1340935135076569089"
  - "https://en.wikipedia.org/wiki/IDN_homograph_attack"
type: "rule"
severity: "high"
source: |
  type.inbound
  and strings.ilike(sender.email.domain.domain, "*xn--*")
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Lookalike domain"
  - "Punycode"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
id: "bc3d8db5-dc83-5b77-bee4-9cf62f32b6de"