Cyrillic vowel substitution in subject or display name from unknown sender

This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.

Sublime rule (View on GitHub)

 1name: "Cyrillic vowel substitution in subject or display name from unknown sender"
 2description: "This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // message contains between 1 and 9 links
 9  and 0 < length(body.links) < 10
10  
11  //  display name or subject contains Cyrillic vowels in addition to standard letters
12  and any([subject.subject, sender.display_name],
13          regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
14  )
15  
16  // and the senders tld or return path is not "ru"
17  and not (
18    sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
19  )
20  // and the return path is not 'calendar-server.bounces.google.com'
21  and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
22  and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
23  and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
24  and not headers.return_path.domain.domain == 'bounce.dataminr.com'
25  
26  // the message is unsolicited and no false positives
27  and (
28    not profile.by_sender().solicited
29    or (
30      length(headers.reply_to) > 0
31      and all(headers.reply_to, .email.email not in $recipient_emails)
32    )
33  )
34  and not profile.by_sender().any_false_positives
35    
36tags:
37 - "Attack surface reduction"
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Evasion"
42  - "Social engineering"
43  - "Spoofing"
44detection_methods:
45  - "Content analysis"
46  - "Header analysis"
47  - "Sender analysis"
48id: "74bc0b0c-891d-53c8-ae01-bc12018c5624"

Related rules

to-top