Punycode sender domain

calendar Aug 21, 2023  ยท
Share on: linkedin copy

The sender's domain contains punycode, a technique used by attackers to impersonate legitimate domains.

Sublime rule (View on GitHub)

 1name: Punycode sender domain
 2description: |
 3  The sender's domain contains punycode, a technique
 4  used by attackers to impersonate legitimate domains.  
 5references:
 6  - "https://cybersecurityventures.com/beware-of-lookalike-domains-in-punycode-phishing-attacks/"
 7  - "https://twitter.com/krabsonsecurity/status/1340935135076569089"
 8  - "https://en.wikipedia.org/wiki/IDN_homograph_attack"
 9type: "rule"
10severity: "high"
11source: |
12  type.inbound
13  and strings.ilike(sender.email.domain.domain, "*xn--*")  
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Evasion"
19  - "Lookalike domain"
20  - "Punycode"
21  - "Social engineering"
22detection_methods:
23  - "Sender analysis"
24id: "bc3d8db5-dc83-5b77-bee4-9cf62f32b6de"
to-top