Skip to content

Commit 8776fd1

Browse files
[Shared Samples] [PR #4639] modified rule: PR# 4639 - Cyrillic vowel substitutions with suspicious subject from unknown sender
1 parent db5eb07 commit 8776fd1

1 file changed

Lines changed: 6 additions & 22 deletions

File tree

detection-rules/4639_link_suspicious_subject_with_cyrillic_substitutions.yml

Lines changed: 6 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -6,22 +6,12 @@ source: |
66
type.inbound
77
and 0 < length(body.links) < 10
88
9-
// display name or subject contains Cyrillic/Greek confusables alongside Latin
10-
// Use OR logic to catch both pure homoglyphs (adjacent) and separated mixed scripts
11-
and (
12-
// Pure homoglyphs: Latin character immediately adjacent to Cyrillic/Greek
13-
any([subject.subject, sender.display_name],
14-
regex.contains(.,
15-
'[a-zA-Z][\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}]|[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}][a-zA-Z]'
16-
)
17-
)
18-
// OR mixed scripts anywhere: contains both Latin and Cyrillic/Greek (separated)
19-
or any([subject.subject, sender.display_name],
20-
regex.contains(.,
21-
'[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}]+'
22-
)
23-
and regex.contains(., '[a-zA-Z]')
24-
)
9+
// display name or subject contains Cyrillic/Greek confusables within the same word as Latin
10+
// Both scripts must appear in a single whitespace-delimited token (true homoglyph substitution)
11+
and any([subject.subject, sender.display_name],
12+
regex.contains(.,
13+
'[a-zA-Z][^\s]*[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}]|[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}][^\s]*[a-zA-Z]'
14+
)
2515
)
2616
2717
// and suspicious subject
@@ -232,12 +222,6 @@ source: |
232222
)
233223
)
234224
and not profile.by_sender().any_messages_benign
235-
236-
mimic:
237-
exempt_canonicals:
238-
- 402455 # Historical test sample - 8 other rules still flag
239-
- 936366 # Historical test sample - potential legitimate FP
240-
241225
attack_types:
242226
- "Credential Phishing"
243227
tactics_and_techniques:

0 commit comments

Comments
 (0)