This analytic rule detects the presence of Punycode in X.509 certificates using logs generated by Zeek. The Punycode format is typically identified by its "xn--" prefix, and this rule specifically checks the Subject Alternative Name (SAN) fields for email addresses and other domains that may contain this encoding. The significance of identifying Punycode lies in its potential use in phishing schemes and evasion of domain filtering systems, posing a considerable risk to network security. By leveraging the power of the `zeek_x509` log data, the rule employs regular expressions to extract relevant domains, thereby enabling analysts to identify potentially malicious certificates that might be exploited by attackers to impersonate legitimate domains. Given the dangerous implications, such findings warrant immediate attention and investigation to prevent unauthorized access or data breaches.