Cyrillic vowel substitution in subject or display name from unknown sender
This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.
Sublime rule (View on GitHub)
1name: "Cyrillic vowel substitution in subject or display name from unknown sender"
2description: "This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // message contains between 1 and 9 links
9 and 0 < length(body.links) < 10
10
11 // display name or subject contains Cyrillic vowels in addition to standard letters
12 and any([subject.subject, sender.display_name],
13 regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
14 )
15
16 // and the senders tld or return path is not "ru"
17 and not (
18 sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
19 )
20 // and the return path is not 'calendar-server.bounces.google.com'
21 and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
22 and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
23 and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
24 and not headers.return_path.domain.domain == 'bounce.dataminr.com'
25 and not headers.return_path.domain.domain == 'mail-us.atlassian.net'
26
27 // the message is unsolicited and no false positives
28 and (
29 not profile.by_sender().solicited
30 or (
31 length(headers.reply_to) > 0
32 and all(headers.reply_to, .email.email not in $recipient_emails)
33 )
34 )
35 and not profile.by_sender().any_false_positives
36
37tags:
38 - "Attack surface reduction"
39attack_types:
40 - "Credential Phishing"
41tactics_and_techniques:
42 - "Evasion"
43 - "Social engineering"
44 - "Spoofing"
45detection_methods:
46 - "Content analysis"
47 - "Header analysis"
48 - "Sender analysis"
49id: "74bc0b0c-891d-53c8-ae01-bc12018c5624"