Expand confusable character coverage in homoglyph detection rules#4596
Expand confusable character coverage in homoglyph detection rules#4596yana-ivanov wants to merge 5 commits into
Conversation
Adds Cyrillic consonants and Greek confusables to the existing mixed-script detection in two rules. Also adds the missing Latin character check to link_suspicious_subject_with_cyrillic_substitutions.yml to prevent fully-Cyrillic display names from matching on suspicious subjects alone. Per discussion in PR sublime-security#4267.
github-actions
Bot
added
review-needed
Shared Samples Sync - Action RequiredThis PR was not automatically synced to shared-samples because the author is not a member of the To enable syncing, an organization member can comment Once triggered, the rules will be synced on the next scheduled run (every 10 minutes). |
|
/mql-mimic-exempt 936366, 402455 |
|
two FPs on this rule are causing mimic to fail. Going to remove them from testing and confirm the builds pass before adding these changes to test rules. Thanks for opening this PR up, Yana! |
IndiaAce
left a comment
IndiaAce
left a comment
There was a problem hiding this comment.
Suggestion for the regex based on some early hunting telemetry. Let me know your thoughts!
Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
…tions.yml Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
|
Thank you so much for the detailed feedback and for handling the FPs directly — really appreciate it! The adjacency approach makes total sense, much cleaner signal. Applied both suggestions. Let me know if there's anything else you'd like me to adjust! |
|
Hey Yana, quick little update here your PR is failing one of our unit tests, I was looking into this yesterday & this morning. It's actually identified a need to create some additional coverage here which is great! I'm going to keep poking around at this to get your PR unstuck, I'll FUP when I have more info! |
|
Thanks so much for the update Luke, really appreciate you digging into it! Looking forward to hearing what you find. 😊 |
2 participants
Description
Expands confusable character coverage in two existing homoglyph detection rules, adding Cyrillic consonants and Greek confusables to the mixed-script detection logic. Also adds the missing Latin character check to
link_suspicious_subject_with_cyrillic_substitutions.ymlto prevent fully-Cyrillic display names from matching on suspicious subjects alone.Per feedback from @IndiaAce in #4267.
Associated samples