@@ -6,22 +6,12 @@ source: |
66 type.inbound
77 and 0 < length(body.links) < 10
88
9- // display name or subject contains Cyrillic/Greek confusables alongside Latin
10- // Use OR logic to catch both pure homoglyphs (adjacent) and separated mixed scripts
11- and (
12- // Pure homoglyphs: Latin character immediately adjacent to Cyrillic/Greek
13- any([subject.subject, sender.display_name],
14- regex.contains(.,
15- '[a-zA-Z][\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}]|[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}][a-zA-Z]'
16- )
17- )
18- // OR mixed scripts anywhere: contains both Latin and Cyrillic/Greek (separated)
19- or any([subject.subject, sender.display_name],
20- regex.contains(.,
21- '[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}]+'
22- )
23- and regex.contains(., '[a-zA-Z]')
24- )
9+ // display name or subject contains Cyrillic/Greek confusables within the same word as Latin
10+ // Both scripts must appear in a single whitespace-delimited token (true homoglyph substitution)
11+ and any([subject.subject, sender.display_name],
12+ regex.contains(.,
13+ '[a-zA-Z][^\s]*[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}]|[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}][^\s]*[a-zA-Z]'
14+ )
2515 )
2616
2717 // and suspicious subject
@@ -232,12 +222,6 @@ source: |
232222 )
233223 )
234224 and not profile.by_sender().any_messages_benign
235-
236- mimic :
237- exempt_canonicals :
238- - 402455 # Historical test sample - 8 other rules still flag
239- - 936366 # Historical test sample - potential legitimate FP
240-
241225attack_types :
242226 - " Credential Phishing"
243227tactics_and_techniques :
0 commit comments