Display Name Emoji with Financial Symbols

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects messages where the sender's display name contains emoji characters alongside financial symbols ($ £ € ¥ ₿) in the subject line. The sender's domain is not present in the Alexa top 1 million sites and has DMARC authentication issues.

Sublime rule (View on GitHub)

 1name: "Display Name Emoji with Financial Symbols"
 2description: "Detects messages where the sender's display name contains emoji characters alongside financial symbols ($ £ € ¥ ₿) in the subject line. The sender's domain is not present in the Alexa top 1 million sites and has DMARC authentication issues."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // Check for emoji in sender display name using Unicode ranges
 8  and regex.contains(sender.display_name,
 9                     '[\x{1F600}-\x{1F64F}]|[\x{1F300}-\x{1F5FF}]|[\x{1F680}-\x{1F6FF}]|[\x{1F1E0}-\x{1F1FF}]|[\x{2600}-\x{26FF}]|[\x{2700}-\x{27BF}]'
10  )
11  // Check for financial symbols in subject
12  and regex.contains(subject.subject, '[\$£€¥₿]')
13  and (
14    headers.auth_summary.dmarc.pass is null
15    or headers.auth_summary.dmarc.pass == false
16  )
17  and sender.email.domain.root_domain not in $alexa_1m  
18attack_types:
19  - "BEC/Fraud"
20  - "Callback Phishing"
21tactics_and_techniques:
22  - "Social engineering"
23  - "Evasion"
24detection_methods:
25  - "Content analysis"
26  - "Header analysis"
27  - "Sender analysis"
28id: "f316f335-51ac-5ead-a059-53fdcb0cb50c"
to-top