From 09bc6b4c8351abdead09b184c0f20882897efd97 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Sat, 8 Nov 2025 13:45:29 -0500
Subject: [PATCH 1/2] Add detection rule for confusable character domains

This rule detects links containing Unicode confusable characters that may spoof legitimate domains.
---
 ...in_containing_confusable_characters_asr.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 detection-rules/link_domain_containing_confusable_characters_asr.yml

diff --git a/detection-rules/link_domain_containing_confusable_characters_asr.yml b/detection-rules/link_domain_containing_confusable_characters_asr.yml
new file mode 100644
index 00000000000..6ed752d8c00
--- /dev/null
+++ b/detection-rules/link_domain_containing_confusable_characters_asr.yml
@@ -0,0 +1,18 @@
+name: "Link: Domain contains confusable characters"
+description: "Detects links containing Unicode confusable characters that could be used to spoof legitimate domains by replacing standard characters with visually similar alternatives."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links, .href_url.url != strings.replace_confusables(.href_url.url))
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Lookalike domain"
+  - "Punycode"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"

From 2e2c7ac6fb25288bbf2bd9dc23bd9c62ba05472e Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Sat, 8 Nov 2025 18:48:08 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 .../link_domain_containing_confusable_characters_asr.yml         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/link_domain_containing_confusable_characters_asr.yml b/detection-rules/link_domain_containing_confusable_characters_asr.yml
index 6ed752d8c00..d722a18b980 100644
--- a/detection-rules/link_domain_containing_confusable_characters_asr.yml
+++ b/detection-rules/link_domain_containing_confusable_characters_asr.yml
@@ -16,3 +16,4 @@ tactics_and_techniques:
 detection_methods:
   - "Content analysis"
   - "URL analysis"
+id: "75672610-e11c-5650-8139-43f12870f294"