Link to a domain with punycode characters

calendar Nov 12, 2025 · Attack surface reduction  ·
Share on: linkedin copy

The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.

Sublime rule (View on GitHub)

 1name: "Link to a domain with punycode characters"
 2description: |
 3    The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/hackers-abuse-lookalike-domains-and-favicons-for-credit-card-theft/"
 6type: "rule"
 7authors:
 8  - twitter: "ajpc500"
 9severity: "medium"
10source: |
11  type.inbound
12  and (
13    any(body.links,
14        .href_url.domain.punycode is not null and .href_url.domain.valid == true
15    )
16    or any(body.links, strings.starts_with(.href_url.domain.domain, "xn--"))
17  )  
18
19tags:
20  - "Attack surface reduction"
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Evasion"
25  - "Lookalike domain"
26  - "Punycode"
27detection_methods:
28  - "Sender analysis"
29  - "URL analysis"
30id: "74b3698c-d75e-52db-9596-48af93817822"

Related rules

to-top