Attachment: Filename containing Unicode right-to-left override character

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters

Sublime rule (View on GitHub)

 1name: "Attachment: Filename containing Unicode right-to-left override character"
 2description: |
 3    Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters
 4references:
 5  - "https://redcanary.com/blog/right-to-left-override/"
 6  - "https://sublimecommunity.slack.com/archives/C02N1F7FP7C/p1644411026329629"
 7type: "rule"
 8authors:
 9  - twitter: "vector_sec"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          regex.icontains(.file_name, '\x{202E}', '\x{202D}')
15          or (
16            .file_extension in~ $file_extensions_common_archives
17            and any(file.explode(.),
18                    regex.icontains(.file_name, '\x{202E}', '\x{202D}')
19            )
20          )
21  )  
22attack_types:
23  - "Malware/Ransomware"
24tactics_and_techniques:
25  - "Evasion"
26detection_methods:
27  - "Archive analysis"
28  - "File analysis"
29id: "357c57a1-dd29-5ad8-ae2f-c4f4c6489575"
to-top