Brand impersonation: GoDaddy

calendar Sep 17, 2025  ·
Share on: linkedin copy

Detects messages where the sender is impersonating GoDaddy through display name manipulation or lookalike domains, while not being legitimately authenticated from GoDaddy's infrastructure.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: GoDaddy"
 2description: "Detects messages where the sender is impersonating GoDaddy through display name manipulation or lookalike domains, while not being legitimately authenticated from GoDaddy's infrastructure."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, 'godaddy')
 9    or strings.ilike(sender.display_name, "*godaddy*")
10    or strings.ilevenshtein(sender.display_name, 'godaddy') <= 1
11    or strings.ilike(sender.email.domain.domain, '*godaddy*')
12  )
13  and not (
14    sender.email.domain.root_domain in (
15      "godaddy.com",
16      "registry.godaddy",
17      "sucuri.net"
18    )
19    and headers.auth_summary.dmarc.pass
20  )
21  and not profile.by_sender().solicited
22  // negate highly trusted sender domains unless they fail DMARC authentication
23  and (
24    (
25      sender.email.domain.root_domain in $high_trust_sender_root_domains
26      and not headers.auth_summary.dmarc.pass
27    )
28    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
29  )  
30
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Impersonation: Brand"
35  - "Social engineering"
36detection_methods:
37  - "Header analysis"
38  - "Sender analysis"
39id: "4130d555-40fc-5b12-bbf0-60cf5e93c15f"
to-top