HTML: Bidirectional (BIDI) HTML override with right to left obfuscation

calendar Oct 17, 2025  ·
Share on: linkedin copy

Body HTML contains multiple instances of right-to-left (RTL) text direction override markup, which can be used to visually manipulate text display and potentially bypass common strings checks.

Sublime rule (View on GitHub)

 1name: "HTML: Bidirectional (BIDI) HTML override with right to left obfuscation"
 2description: "Body HTML contains multiple instances of right-to-left (RTL) text direction override markup, which can be used to visually manipulate text display and potentially bypass common strings checks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // You should only observe RTL injection when RTL languages are present.
 8  and (
 9    regex.icount(body.html.raw,
10                 '<span style="unicode-bidi: bidi-override; display: inline-block;" dir="rtl">'
11    ) + regex.icount(body.html.raw, '<bdo dir="rtl">')
12  // Count allows for scalability for FP's.
13  ) >= 3  
14
15attack_types:
16  - "BEC/Fraud"
17  - "Credential Phishing"
18tactics_and_techniques:
19  - "Evasion"
20  - "Social engineering"
21  - "Scripting"
22detection_methods:
23  - "Content analysis"
24  - "HTML analysis"
25id: "f93940d2-0713-5a4c-8864-3d3441b5fd5a"
to-top