Brand impersonation: GitHub with callback scam indicators

calendar Mar 11, 2026  ·
Share on: linkedin copy

Detects messages using GitHub's noreply address that contain callback scam language, brand impersonation tactics, or fraudulent purchase/payment content with phone numbers for victim contact.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: GitHub with callback scam indicators"
 2description: "Detects messages using GitHub's noreply address that contain callback scam language, brand impersonation tactics, or fraudulent purchase/payment content with phone numbers for victim contact."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == 'noreply@github.com'
 8  and length(attachments) == 0
 9  and (
10    any(ml.nlu_classifier(body.current_thread.text).intents,
11        .name == "callback_scam" and .confidence != "low"
12    )
13    or (
14      regex.icontains(body.current_thread.text,
15                      (
16                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
17                      )
18      )
19      and (
20        3 of (
21          strings.ilike(body.current_thread.text, '*purchase*'),
22          strings.ilike(body.current_thread.text, '*payment*'),
23          strings.ilike(body.current_thread.text, '*transaction*'),
24          strings.ilike(body.current_thread.text, '*subscription*'),
25          strings.ilike(body.current_thread.text, '*antivirus*'),
26          strings.ilike(body.current_thread.text, '*order*'),
27          strings.ilike(body.current_thread.text, '*support*'),
28          strings.ilike(body.current_thread.text, '*receipt*'),
29          strings.ilike(body.current_thread.text, '*invoice*'),
30          strings.ilike(body.current_thread.text, '*call*'),
31          strings.ilike(body.current_thread.text, '*cancel*'),
32          strings.ilike(body.current_thread.text, '*renew*'),
33          strings.ilike(body.current_thread.text, '*refund*'),
34          strings.ilike(body.current_thread.text, '*host key*')
35        )
36      )
37      // phone number regex
38      and any([body.current_thread.text, subject.subject],
39              regex.icontains(.,
40                              '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
41                              '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
42              )
43      )
44    )
45  )  
46
47attack_types:
48  - "Callback Phishing"
49tactics_and_techniques:
50  - "Impersonation: Brand"
51  - "Out of band pivot"
52  - "Social engineering"
53detection_methods:
54  - "Content analysis"
55  - "Natural Language Understanding"
56  - "Sender analysis"
57id: "f07b1ca0-de6c-58e4-a695-faf908631049"
to-top