DET0527 Right-to-Left Override Masquerading Detection via Filename and Execution Context
| Item |
Value |
| ID |
DET0527 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1036.002 (Right-to-Left Override)
Analytics
Windows
AN1461
Execution of files containing right-to-left override characters (U+202E) to masquerade true file extensions. Often found in phishing payloads or file downloads.
Log Sources
Mutable Elements
| Field |
Description |
| FilenamePattern |
RTLO variants such as \u202E, %E2%80%AE, or byte-encoded forms |
| ExecutionContext |
Allows tuning for untrusted sources, e.g., browser downloads or email attachments |
| TimeWindow |
Defines correlation between file creation and process execution |
macOS
AN1462
Execution of files with reversed filename extensions using Unicode RTLO character. Frequently used to deceive Gatekeeper and users in Safari or Mail-based phishing.
Log Sources
Mutable Elements
| Field |
Description |
| FilenameDisplay |
Whether user-facing tools display the spoofed name or the true extension |
| GatekeeperBypassFlag |
Whether the execution bypassed translocation or quarantine checks |
| UserContext |
Scope detection to untrusted or non-admin users |
Linux
AN1463
Execution of user-downloaded or created scripts with hidden extensions due to RTLO character insertion in filename, often present in desktop environments or phishing campaigns.
Log Sources
Mutable Elements
| Field |
Description |
| ExtensionMismatch |
Filter based on mismatched visible extension vs. magic bytes or mime-type |
| ProcessLineage |
Correlation between file open and subsequent script interpreter invocation |
| FilenameEntropy |
Suspicious Unicode sequences or byte entropy in filenames |