Display Name Emoji with Financial Symbols
Detects messages where the sender's display name contains emoji characters alongside financial symbols ($ £ € ¥ ₿) in the subject line. The sender's domain is not present in the Alexa top 1 million sites and has DMARC authentication issues.
Sublime rule (View on GitHub)
1name: "Display Name Emoji with Financial Symbols"
2description: "Detects messages where the sender's display name contains emoji characters alongside financial symbols ($ £ € ¥ ₿) in the subject line. The sender's domain is not present in the Alexa top 1 million sites and has DMARC authentication issues."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 // Check for emoji in sender display name using Unicode ranges
8 and regex.contains(sender.display_name,
9 '[\x{1F600}-\x{1F64F}]|[\x{1F300}-\x{1F5FF}]|[\x{1F680}-\x{1F6FF}]|[\x{1F1E0}-\x{1F1FF}]|[\x{2600}-\x{26FF}]|[\x{2700}-\x{27BF}]'
10 )
11 // Check for financial symbols in subject
12 and regex.contains(subject.subject, '[\$£€¥₿]')
13
14 and (
15 headers.auth_summary.dmarc.pass is null
16 or headers.auth_summary.dmarc.pass == false
17 )
18 and sender.email.domain.root_domain not in $alexa_1m
19
20attack_types:
21 - "BEC/Fraud"
22 - "Callback Phishing"
23tactics_and_techniques:
24 - "Social engineering"
25 - "Evasion"
26detection_methods:
27 - "Content analysis"
28 - "Header analysis"
29 - "Sender analysis"
30id: "f316f335-51ac-5ead-a059-53fdcb0cb50c"