Malware Delivery Tricks
RTLO
Right-To-Left Override (RTLO) is a non-printing Unicode character (U+202e) used to support languages read in the right-to-left manner, like Hebrew and Arabic. This character flips all subsequent text to be right-to-left when displayed. Starting from the RTLO to the end the text is flipped. This character is also supported in file names on Windows.
The file name example[U+202e]xcod.exe will be displayed as exampleexe.docx. Although the file still has an exe extension, the user sees a docx fake-extension. This provides many opportunities to deceive the victim.
Windows Defender detects RTLOs in file names if they add a fake file extension. Replacing txt.exe with exe.txt can be detected because .txt is an existing extension. So you can use for the fake extension an identical-looking Cyrillic alphabet letter to confuse the AV: "х" [U+0445] instead of ASCII "x".
Spaces before file extension
The file name can contain a ton of spaces before the extension. In some views (such as Windows file explorer), such a name will be too long and the spaces will be cut out, hiding the true file extension. Example: file.txt <spaces>.exe.
You may want to add something else before the extension so that spaces are not at the very end of the file name. Just to confuse the EDR rules.
Double file extension
A file name may include a secondary file type extension that may cause only the first extension to be displayed. For example file.txt.exe may render in some views (e.g. Windows file explorer, cloud storage) as just file.txt.