Link to a Domain with Punycode Characters

 1name: "Link to a Domain with Punycode Characters"
 2description: |
 3    The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/hackers-abuse-lookalike-domains-and-favicons-for-credit-card-theft/"
 6type: "rule"
 7authors:
 8  - twitter: "ajpc500"
 9severity: "medium"
10source: |
11  type.inbound
12  and any(body.links, .href_url.domain.punycode is not null and .href_url.domain.valid == true)
13  and (
14    // include automated emails
15    sender.display_name == "WordPress"
16    or sender.email.local_part == "wordpress"
17
18    // Has my organization ever sent an email to this sender?
19    or (
20      sender.email.domain.root_domain in $free_email_providers
21      and sender.email.email not in $recipient_emails
22    )
23    or (
24      sender.email.domain.root_domain not in $free_email_providers
25      and sender.email.domain.domain not in $recipient_domains
26    )
27  )  
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Evasion"
32  - "Lookalike domain"
33  - "Punycode"
34detection_methods:
35  - "Sender analysis"
36  - "URL analysis"
37id: "74b3698c-d75e-52db-9596-48af93817822"