Medium Severity

Cyrillic vowel substitution in subject or display name from unknown sender

Labels

Credential Phishing

Evasion

Description

This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.

References

No references.

Sublime Security

Created Nov 28th, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// message contains between 1 and 9 links
and (
  0 < length(body.links) < 10
  or (
    length(body.links) == 0
    and length(attachments) > 0
    and body.current_thread.text == ""
  )
)

//  display name or subject contains Cyrillic vowels in addition to standard letters
and any([subject.subject, sender.display_name],
        regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
)

// and the senders tld or return path is not "ru"
and not (
  sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
)
// and the return path is not 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
and not headers.return_path.domain.domain == 'bounce.dataminr.com'
and not headers.return_path.domain.domain == 'mail-us.atlassian.net'

// the message is unsolicited and no false positives
and (
  not profile.by_sender().solicited
  or (
    length(headers.reply_to) > 0
    and all(headers.reply_to, .email.email not in $recipient_emails)
  )
)
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.