Email attachment with Right-to-Left Override Unicode character

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-11-12
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Microsoft 365 Emails
Detection Modules	Email
Detector Tags	Evasion
ATT&CK Tactic	Defense Evasion (TA0005) Execution (TA0002)
ATT&CK Technique	Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
Severity	Low

Description

The email message contains an attachment with a hidden Right-to-Left Override Unicode character.

Attacker's Goals

Bypass security filters and deliver malicious content to users
Mislead recipients into opening a malicious file by obscuring its true nature
Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.

Investigative actions

Carefully analyze attachments for any indications of suspicious or malicious behavior.
Scrutinize the attachments for any suspicious indications.
Confirm whether the attachments were successfully delivered to the recipient's mailbox.
If the attachments were delivered successfully, verify whether the recipient downloaded them.