sublimemediumRule

HTML: Bidirectional (BIDI) HTML override with right to left obfuscation

Body HTML contains multiple instances of right-to-left (RTL) text direction override markup, which can be used to visually manipulate text display and potentially bypass common strings checks.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566 T1566.001 T1598 T1036 T1027 T1059

defense-evasioninitial-accessexecution

Detection Query

type.inbound
// You should only observe RTL injection when RTL languages are present.
and (
  regex.icount(body.html.raw,
               '<span style="unicode-bidi: bidi-override; display: inline-block;" dir="rtl">'
  ) + regex.icount(body.html.raw, '<bdo dir="rtl">')
// Count allows for scalability for FP's.
) >= 3

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "HTML: Bidirectional (BIDI) HTML override with right to left obfuscation"
description: "Body HTML contains multiple instances of right-to-left (RTL) text direction override markup, which can be used to visually manipulate text display and potentially bypass common strings checks."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // You should only observe RTL injection when RTL languages are present.
  and (
    regex.icount(body.html.raw,
                 '<span style="unicode-bidi: bidi-override; display: inline-block;" dir="rtl">'
    ) + regex.icount(body.html.raw, '<bdo dir="rtl">')
  // Count allows for scalability for FP's.
  ) >= 3

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
  - "Scripting"
detection_methods:
  - "Content analysis"
  - "HTML analysis"
id: "f93940d2-0713-5a4c-8864-3d3441b5fd5a"