diff --git a/detection-rules/link_cyrillic_substitutions_unsolicited.yml b/detection-rules/link_cyrillic_substitutions_unsolicited.yml
index f727d36e437..1c4da179fa8 100644
--- a/detection-rules/link_cyrillic_substitutions_unsolicited.yml
+++ b/detection-rules/link_cyrillic_substitutions_unsolicited.yml
@@ -15,9 +15,11 @@ source: |
     )
   )
   
-  //  display name or subject contains Cyrillic vowels in addition to standard letters
+  //  display name or subject contains Cyrillic/Greek confusables in addition to standard letters
   and any([subject.subject, sender.display_name],
-          regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
+          regex.contains(.,
+                         '[a-zA-Z][\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}]|[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}][a-zA-Z]'
+          )
   )
   
   // and the senders tld or return path is not "ru"
@@ -40,7 +42,6 @@ source: |
     )
   )
   and not profile.by_sender().any_messages_benign
-
 tags:
  - "Attack surface reduction"
 attack_types:
diff --git a/detection-rules/link_suspicious_subject_with_cyrillic_substitutions.yml b/detection-rules/link_suspicious_subject_with_cyrillic_substitutions.yml
index c1965f059b8..c7917f2d02f 100644
--- a/detection-rules/link_suspicious_subject_with_cyrillic_substitutions.yml
+++ b/detection-rules/link_suspicious_subject_with_cyrillic_substitutions.yml
@@ -6,9 +6,11 @@ source: |
   type.inbound
   and 0 < length(body.links) < 10
   
-  //  display name or subject contains confusable vowels
+  //  display name or subject contains Cyrillic/Greek confusables alongside Latin
   and any([subject.subject, sender.display_name],
-          regex.icontains(., '(а|е|и|о|у)')
+          regex.contains(.,
+                         '[a-zA-Z][\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}]|[\x{430}\x{435}\x{438}\x{43e}\x{443}\x{440}\x{441}\x{445}\x{456}\x{410}\x{412}\x{415}\x{41a}\x{41c}\x{41d}\x{41e}\x{420}\x{421}\x{422}\x{425}\x{391}\x{392}\x{395}\x{396}\x{397}\x{399}\x{39a}\x{39c}\x{39d}\x{39f}\x{3a1}\x{3a4}\x{3a5}\x{3a7}\x{3bf}][a-zA-Z]'
+          )
   )
   
   // and suspicious subject