Medium Severity
Cyrillic vowel substitution in subject or display name from unknown sender
Description
This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.
References
No references.
Sublime Security
Created Nov 28th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// message contains between 1 and 9 links
and (
0 < length(body.links) < 10
or (
length(body.links) == 0
and length(attachments) > 0
and body.current_thread.text == ""
)
)
// display name or subject contains Cyrillic vowels in addition to standard letters
and any([subject.subject, sender.display_name],
regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
)
// and the senders tld or return path is not "ru"
and not (
sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
)
// and the return path is not 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
and not headers.return_path.domain.domain == 'bounce.dataminr.com'
and not headers.return_path.domain.domain == 'mail-us.atlassian.net'
// the message is unsolicited and no false positives
and (
not profile.by_sender().solicited
or (
length(headers.reply_to) > 0
and all(headers.reply_to, .email.email not in $recipient_emails)
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.