Fake warning banner using confusable characters

calendar Mar 2, 2026  ·
Share on: linkedin copy

Detects messages containing fake security banners that use visually similar characters to impersonate legitimate sender verification text, potentially to bypass security controls and deceive recipients.

Sublime rule (View on GitHub)

 1name: "Fake warning banner using confusable characters"
 2description: "Detects messages containing fake security banners that use visually similar characters to impersonate legitimate sender verification text, potentially to bypass security controls and deceive recipients."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.contains(strings.replace_confusables(body.current_thread.text),
 9                   'This sender has been verified fro(?:m|rn) safe senders list'
10    )
11    or any(body.current_thread.banners,
12           regex.contains(strings.replace_confusables(.text),
13                          'This sender has been verified fro(?:m|rn) safe senders list'
14           )
15    )
16  )  
17attack_types:
18  - "BEC/Fraud"
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Evasion"
22  - "Social engineering"
23detection_methods:
24  - "Content analysis"
25id: "179ee1ff-b9d3-572f-b7d9-466e58e81c75"
to-top