Link: Display text with excessive right-to-left mark characters

calendar Jan 21, 2026  ·
Share on: linkedin copy

Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients.

Sublime rule (View on GitHub)

 1name: "Link: Display text with excessive right-to-left mark characters"
 2description: "Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(html.xpath(body.html, '//a').nodes) < 10
 8  and any(html.xpath(body.html, '//a').nodes,
 9          regex.icontains(.inner_text, '(?:[A-Za-z]\x{200F}){2,}[A-Za-z]')
10  )  
11attack_types:
12  - "Credential Phishing"
13tactics_and_techniques:
14  - "Evasion"
15detection_methods:
16  - "Content analysis"
17  - "URL analysis"
18id: "a45cfd4c-3690-51a8-96b8-fb4daab18eca"
to-top