• Sublime Core Feed
Low Severity

Link: Display text with excessive right-to-left mark characters

Labels

Credential Phishing
Evasion
Content analysis
URL analysis

Description

Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients.

References

No references.

Sublime Security
Created Jan 6th, 2026 • Last updated Jan 21st, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(html.xpath(body.html, '//a').nodes) < 10
and any(html.xpath(body.html, '//a').nodes,
        regex.icontains(.inner_text, '(?:[A-Za-z]\x{200F}){2,}[A-Za-z]')
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started