diff --git a/detection-rules/link_domain_containing_confusable_characters_asr.yml b/detection-rules/link_domain_containing_confusable_characters_asr.yml
new file mode 100644
index 00000000000..d722a18b980
--- /dev/null
+++ b/detection-rules/link_domain_containing_confusable_characters_asr.yml
@@ -0,0 +1,19 @@
+name: "Link: Domain contains confusable characters"
+description: "Detects links containing Unicode confusable characters that could be used to spoof legitimate domains by replacing standard characters with visually similar alternatives."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links, .href_url.url != strings.replace_confusables(.href_url.url))
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Lookalike domain"
+  - "Punycode"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"
+id: "75672610-e11c-5650-8139-43f12870f294"