Cyrillic vowel substitution in subject or display name from unknown sender

 1name: "Cyrillic vowel substitution in subject or display name from unknown sender"
 2description: "This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // message contains between 1 and 9 links
 9  and 0 < length(body.links) < 10
10  
11  //  display name or subject contains Cyrillic vowels in addition to standard letters
12  and any([subject.subject, sender.display_name],
13          regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
14  )
15  
16  // and the senders tld or return path is not "ru"
17  and not (
18    sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
19  )
20  // and the return path is not 'calendar-server.bounces.google.com'
21  and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
22  and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
23  and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
24  and not headers.return_path.domain.domain == 'bounce.dataminr.com'
25  
26  // the message is unsolicited and no false positives
27  and (
28    not profile.by_sender().solicited
29    or (
30      length(headers.reply_to) > 0
31      and all(headers.reply_to, .email.email not in $recipient_emails)
32    )
33  )
34  and not profile.by_sender().any_false_positives  
35
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Evasion"
40  - "Social engineering"
41  - "Spoofing"
42detection_methods:
43  - "Content analysis"
44  - "Header analysis"
45  - "Sender analysis"
46id: "74bc0b0c-891d-53c8-ae01-bc12018c5624"