Bi Di Swap URL In Device Network Events
Query
//BiDi Swap Detection
let bidi_chars = dynamic(['%E2%80%AE', '%E2%80%8E', '%E2%80%8F']);
// Die wichtigsten BiDi-Zeichen sind RLO (%E2%80%AE), RLM (%E2%80%8F) und LRM (%E2%80%8E).
// Die Liste oben deckt die gängigsten Bidi-Kontroll- und nicht-druckbaren Steuerzeichen ab (U+2000 bis U+206F).
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
// Suche nach den prozentkodierten BiDi-Zeichen in der URL
| where RemoteUrl has_any (bidi_chars)
| project Timestamp, DeviceName, DeviceId, RemoteUrl, ActionType, InitiatingProcessFileName, RemoteIP, RemotePort, ReportId
| extend Bidi_Character_Found = extract_all(@"(%E2%80%AE|%E2%80%8E|%E2%80%8E)", RemoteUrl)About this query
BiDi Swap URL in DeviceNetworkEvents
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1036.002 | Right-to-Left Override | https://attack.mitre.org/techniques/T1036/002/ |
| TA1001 | Data Obfuscation | https://attack.mitre.org/techniques/T1001/ |
Description
This rule detects the presence of percent-encoded Bi-Directional (BiDi) control characters in URLs within network events. Specifically, it looks for '%E2%80%AE' (Right-to-Left Override - RLO), '%E2%80%8E' (Left-to-Right Mark - LRM), and '%E2%80%8F' (Right-to-Left Mark - RLM). These characters can be used to obfuscate URLs, making malicious links appear benign to users and potentially bypass security controls.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to detect potentially malicious URLs in network events by identifying the use of specific percent-encoded Bi-Directional (BiDi) control characters. These characters can be used to manipulate the appearance of URLs, making them look legitimate while hiding malicious intent. The query focuses on three specific BiDi characters:
- Right-to-Left Override (RLO):
%E2%80%AE - Left-to-Right Mark (LRM):
%E2%80%8E - Right-to-Left Mark (RLM):
%E2%80%8F
Here's a breakdown of what the query does:
-
Define BiDi Characters: It starts by defining a list of the BiDi characters that are of interest.
-
Filter Network Events: It looks at network events where the URL is not empty.
-
Search for BiDi Characters: It checks if any of the defined BiDi characters are present in the URLs.
-
Project Relevant Data: It selects and displays relevant information such as the timestamp, device name, device ID, URL, action type, initiating process file name, remote IP, remote port, and report ID.
-
Extract BiDi Characters: It extracts and lists any BiDi characters found in the URL for further analysis.
Overall, this query helps in identifying URLs that might be using text direction control characters to disguise their true nature, which is a technique associated with obfuscation and potentially malicious activity.
Details

Benjamin Zulliger
Released: October 28, 2025
Tables
Keywords
Operators