Link to a Domain with Punycode Characters

calendar Dec 20, 2023 · Attack surface reduction  ·
Share on: linkedin copy

The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.

Sublime rule (View on GitHub)

 1name: "Link to a Domain with Punycode Characters"
 2description: |
 3    The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/hackers-abuse-lookalike-domains-and-favicons-for-credit-card-theft/"
 6type: "rule"
 7authors:
 8  - twitter: "ajpc500"
 9severity: "medium"
10source: |
11  type.inbound
12  and any(body.links, .href_url.domain.punycode is not null and .href_url.domain.valid == true)
13  and (
14    (
15      // include automated emails
16      sender.display_name == "WordPress"
17      or sender.email.local_part == "wordpress"
18    )
19
20    or (
21      (
22        profile.by_sender().prevalence in ("new", "outlier")
23        and not profile.by_sender().solicited
24      )
25      or (
26        profile.by_sender().any_messages_malicious_or_spam
27        and not profile.by_sender().any_false_positives
28      )
29    )
30  )
31  and not profile.by_sender().any_false_positives  
32tags:
33  - "Attack surface reduction"
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Evasion"
38  - "Lookalike domain"
39  - "Punycode"
40detection_methods:
41  - "Sender analysis"
42  - "URL analysis"
43id: "74b3698c-d75e-52db-9596-48af93817822"

Related rules

to-top