Punycode sender domain
The sender's domain contains punycode, a technique used by attackers to impersonate legitimate domains.
Sublime rule (View on GitHub)
1name: Punycode sender domain
2description: |
3 The sender's domain contains punycode, a technique
4 used by attackers to impersonate legitimate domains.
5references:
6 - "https://cybersecurityventures.com/beware-of-lookalike-domains-in-punycode-phishing-attacks/"
7 - "https://twitter.com/krabsonsecurity/status/1340935135076569089"
8 - "https://en.wikipedia.org/wiki/IDN_homograph_attack"
9type: "rule"
10severity: "high"
11source: |
12 type.inbound
13 and strings.ilike(sender.email.domain.domain, "*xn--*")
14attack_types:
15 - "Credential Phishing"
16 - "Malware/Ransomware"
17tactics_and_techniques:
18 - "Evasion"
19 - "Lookalike domain"
20 - "Punycode"
21 - "Social engineering"
22detection_methods:
23 - "Sender analysis"
24id: "bc3d8db5-dc83-5b77-bee4-9cf62f32b6de"