[PR #3502] added rule: Link to a domain with punycode characters

Author: github-actions[bot]

detection-rules/3502_link_contains_punycode_characters.yml

@@ -0,0 +1,33 @@
+name: "Link to a domain with punycode characters"
+description: |
+  The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.
+references:
+  - "https://www.bleepingcomputer.com/news/security/hackers-abuse-lookalike-domains-and-favicons-for-credit-card-theft/"
+type: "rule"
+authors:
+  - twitter: "ajpc500"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    any(body.links,
+        .href_url.domain.punycode is not null and .href_url.domain.valid == true
+    )
+    or any(body.links, strings.starts_with(.href_url.domain.domain, "xn--"))
+  )
+
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Lookalike domain"
+  - "Punycode"
+detection_methods:
+  - "Sender analysis"
+  - "URL analysis"
+id: "13bfcdfe-0f61-565f-ac9f-ee45e6bcbaeb"
+og_id: "74b3698c-d75e-52db-9596-48af93817822"
+testing_pr: 3502
+testing_sha: f1f3ba095dfaa87fecff56507becbdf73495fd97