• Sublime Core Feed
Medium Severity

HTML: Bidirectional (BIDI) HTML override with right to left obfuscation

Labels

BEC/Fraud
Credential Phishing
Evasion
Social engineering
Scripting
Content analysis
HTML analysis

Description

Body HTML contains multiple instances of right-to-left (RTL) text direction override markup, which can be used to visually manipulate text display and potentially bypass common strings checks.

References

No references.

Sublime Security
Created Oct 17th, 2025 • Last updated Oct 17th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// You should only observe RTL injection when RTL languages are present.
and (
  regex.icount(body.html.raw,
               '<span style="unicode-bidi: bidi-override; display: inline-block;" dir="rtl">'
  ) + regex.icount(body.html.raw, '<bdo dir="rtl">')
// Count allows for scalability for FP's.
) >= 3
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started