Brand impersonation: GoDaddy

calendar Aug 26, 2025  ·
Share on: linkedin copy

Detects messages where the sender is impersonating GoDaddy through display name manipulation or lookalike domains, while not being legitimately authenticated from GoDaddy's infrastructure.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: GoDaddy"
 2description: "Detects messages where the sender is impersonating GoDaddy through display name manipulation or lookalike domains, while not being legitimately authenticated from GoDaddy's infrastructure."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, 'godaddy')
 9    or strings.ilike(sender.display_name, "*godaddy*")
10    or strings.ilevenshtein(sender.display_name, 'godaddy') <= 1
11    or strings.ilike(sender.email.domain.domain, '*godaddy*')
12  )
13  and not (
14    sender.email.domain.root_domain in ("godaddy.com", "registry.godaddy")
15    and headers.auth_summary.dmarc.pass
16  )
17  and not profile.by_sender().solicited
18  // negate highly trusted sender domains unless they fail DMARC authentication
19  and (
20    (
21      sender.email.domain.root_domain in $high_trust_sender_root_domains
22      and not headers.auth_summary.dmarc.pass
23    )
24    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
25  )  
26
27attack_types:
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "Impersonation: Brand"
31  - "Social engineering"
32detection_methods:
33  - "Header analysis"
34  - "Sender analysis"
35id: "4130d555-40fc-5b12-bbf0-60cf5e93c15f"
to-top