Link: Display text with excessive right-to-left mark characters

calendar Jan 6, 2026  ·
Share on: linkedin copy

Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients.

Sublime rule (View on GitHub)

 1name: "Link: Display text with excessive right-to-left mark characters"
 2description: "Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9      regex.icontains(.display_text, '(?:[A-Za-z]\x{200F}){2,}[A-Za-z]')
10  )  
11
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Evasion"
16detection_methods:
17  - "Content analysis"
18  - "URL analysis"
19id: "a45cfd4c-3690-51a8-96b8-fb4daab18eca"
to-top