← Back to Explore
sublimelowRule
Display Name Emoji with Financial Symbols
Detects messages where the sender's display name contains emoji characters alongside financial symbols ($ £ € ¥ ₿) in the subject line. The sender's domain is not present in the Alexa top 1 million sites and has DMARC authentication issues.
Detection Query
type.inbound
// Check for emoji in sender display name using Unicode ranges
and regex.contains(sender.display_name,
'[\x{1F600}-\x{1F64F}]|[\x{1F300}-\x{1F5FF}]|[\x{1F680}-\x{1F6FF}]|[\x{1F1E0}-\x{1F1FF}]|[\x{2600}-\x{26FF}]|[\x{2700}-\x{27BF}]'
)
// Check for financial symbols in subject
and regex.contains(subject.subject, '[\$£€¥₿]')
and (
headers.auth_summary.dmarc.pass is null
or headers.auth_summary.dmarc.pass == false
)
and sender.email.domain.root_domain not in $alexa_1m
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Display Name Emoji with Financial Symbols"
description: "Detects messages where the sender's display name contains emoji characters alongside financial symbols ($ £ € ¥ ₿) in the subject line. The sender's domain is not present in the Alexa top 1 million sites and has DMARC authentication issues."
type: "rule"
severity: "low"
source: |
type.inbound
// Check for emoji in sender display name using Unicode ranges
and regex.contains(sender.display_name,
'[\x{1F600}-\x{1F64F}]|[\x{1F300}-\x{1F5FF}]|[\x{1F680}-\x{1F6FF}]|[\x{1F1E0}-\x{1F1FF}]|[\x{2600}-\x{26FF}]|[\x{2700}-\x{27BF}]'
)
// Check for financial symbols in subject
and regex.contains(subject.subject, '[\$£€¥₿]')
and (
headers.auth_summary.dmarc.pass is null
or headers.auth_summary.dmarc.pass == false
)
and sender.email.domain.root_domain not in $alexa_1m
attack_types:
- "BEC/Fraud"
- "Callback Phishing"
tactics_and_techniques:
- "Social engineering"
- "Evasion"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "f316f335-51ac-5ead-a059-53fdcb0cb50c"