Cyrillic vowel substitution in subject or display name from unknown sender

calendar Dec 19, 2024 · Attack surface reduction  ·
Share on: linkedin copy

This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.

Sublime rule (View on GitHub)

 1name: "Cyrillic vowel substitution in subject or display name from unknown sender"
 2description: "This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // message contains between 1 and 9 links
 9  and (
10    0 < length(body.links) < 10
11    or (
12      length(body.links) == 0
13      and length(attachments) > 0
14      and body.current_thread.text == ""
15    )
16  )
17  
18  //  display name or subject contains Cyrillic vowels in addition to standard letters
19  and any([subject.subject, sender.display_name],
20          regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
21  )
22  
23  // and the senders tld or return path is not "ru"
24  and not (
25    sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
26  )
27  // and the return path is not 'calendar-server.bounces.google.com'
28  and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
29  and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
30  and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
31  and not headers.return_path.domain.domain == 'bounce.dataminr.com'
32  and not headers.return_path.domain.domain == 'mail-us.atlassian.net'
33  
34  // the message is unsolicited and no false positives
35  and (
36    not profile.by_sender().solicited
37    or (
38      length(headers.reply_to) > 0
39      and all(headers.reply_to, .email.email not in $recipient_emails)
40    )
41  )
42  and not profile.by_sender().any_false_positives  
43
44tags:
45 - "Attack surface reduction"
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Evasion"
50  - "Social engineering"
51  - "Spoofing"
52detection_methods:
53  - "Content analysis"
54  - "Header analysis"
55  - "Sender analysis"
56id: "74bc0b0c-891d-53c8-ae01-bc12018c5624"

Related rules

to-top