Brand impersonation: Github
Impersonation of Github.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Github"
2description: |
3 Impersonation of Github.
4references:
5 - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and not strings.ilike(sender.display_name,
11 '*course*',
12 '*bootcamp*',
13 '*training*'
14 )
15 and (
16 strings.ilike(sender.display_name, '*github*')
17 or strings.ilike(sender.email.email, '*github*')
18 or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19 )
20 // negating listservs
21 and not (
22 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23 and (
24 strings.contains(sender.display_name, "via")
25 or strings.icontains(subject.subject, "monitor")
26 )
27 )
28 and sender.email.domain.root_domain not in (
29 'github.com',
30 'thegithubshop.com',
31 'gitlab.com',
32 'itthub.net',
33 'githubsupport.com',
34 'gtmhub.com',
35 'githubstatus.com',
36 'githubnext.com',
37 'lithub.com',
38 'icims.com',
39 'bithub.email',
40 'goldcast.io',
41 'luma-mail.com', // GitHub's event invitation software
42 'github.events' // GitHub event newsletters
43 )
44
45 // negate highly trusted sender domains unless they fail DMARC authentication
46 and (
47 (
48 sender.email.domain.root_domain in $high_trust_sender_root_domains
49 and not headers.auth_summary.dmarc.pass
50 )
51 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52 )
53 and (
54 not profile.by_sender().solicited
55 or (
56 profile.by_sender().any_messages_malicious_or_spam
57 and not profile.by_sender().any_messages_benign
58 )
59 )
60 and not profile.by_sender().any_messages_benign
61attack_types:
62 - "Credential Phishing"
63tactics_and_techniques:
64 - "Impersonation: Brand"
65 - "Lookalike domain"
66 - "Social engineering"
67detection_methods:
68 - "Header analysis"
69 - "Sender analysis"
70id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"