Body: Invisible Unicode obfuscation student loan callback phishing

calendar Jun 25, 2026  ·
Share on: linkedin copy

Detects messages containing clusters of Unicode zero-width and invisible characters (such as LRM, RLM, zero-width space, BOM, and directional isolates) interspersed within digit sequences and body content matching 'student loan' patterns. This technique is used to obscure text from security filters while remaining visually coherent to recipients.

Sublime rule (View on GitHub)

 1name: "Body: Invisible Unicode obfuscation student loan callback phishing"
 2description: "Detects messages containing clusters of Unicode zero-width and invisible characters (such as LRM, RLM, zero-width space, BOM, and directional isolates) interspersed within digit sequences and body content matching 'student loan' patterns. This technique is used to obscure text from security filters while remaining visually coherent to recipients."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and regex.contains(body.html.raw,
 8                     '(\x{2065}|\x{200E}|\x{200F}|\x{2066}|\x{2067}|\x{2068}|\x{2069}|\x{200B}|\x{200C}|\x{200D}|\x{FEFF}){3}'
 9  )
10  and regex.contains(body.html.raw,
11                     '\d[\x{200E}\x{200F}\x{200B}\x{200C}\x{200D}\x{2065}\x{FEFF}]{1,6}\d'
12  )
13  and regex.icontains(body.html.raw,
14                      's.{0,6}t.{0,6}u.{0,6}d.{0,6}e.{0,6}n.{0,6}t.{0,10}l.{0,6}o.{0,6}a.{0,6}n'
15  )  
16attack_types:
17  - "BEC/Fraud"
18  - "Credential Phishing"
19  - "Spam"
20tactics_and_techniques:
21  - "Evasion"
22  - "Social engineering"
23detection_methods:
24  - "HTML analysis"
25  - "Content analysis"
26id: "6b951465-0566-58e4-b29e-d0bc998adca0"
to-top