Brand impersonation: Github

calendar Nov 3, 2025  ยท
Share on: linkedin copy

Impersonation of Github.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Github"
 2description: |
 3    Impersonation of Github.
 4references:
 5  - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and not strings.ilike(sender.display_name,
11                        '*course*',
12                        '*bootcamp*',
13                        '*training*'
14  )
15  and (
16    strings.ilike(sender.display_name, '*github*')
17    or strings.ilike(sender.email.email, '*github*')
18    or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19  )
20  // negating listservs
21  and not (
22    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23    and (
24      strings.contains(sender.display_name, "via")
25      or strings.icontains(subject.subject, "monitor")
26    )
27  )
28  and not (
29    any(headers.hops, any(.fields, .name == "X-GitHub-Reason"))
30    and headers.auth_summary.dmarc.pass
31  )
32  and sender.email.domain.root_domain not in (
33    'github.com',
34    'thegithubshop.com',
35    'gitlab.com',
36    'itthub.net',
37    'githubsupport.com',
38    'gtmhub.com',
39    'githubstatus.com',
40    'githubnext.com',
41    'lithub.com',
42    'icims.com',
43    'bithub.email',
44    'goldcast.io',
45    'luma-mail.com', // GitHub's event invitation software
46    'github.events' // GitHub event newsletters
47  )
48  
49  // negate highly trusted sender domains unless they fail DMARC authentication
50  and (
51    (
52      sender.email.domain.root_domain in $high_trust_sender_root_domains
53      and not headers.auth_summary.dmarc.pass
54    )
55    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
56  )
57  and (
58    not profile.by_sender().solicited
59    or (
60      profile.by_sender().any_messages_malicious_or_spam
61      and not profile.by_sender().any_messages_benign
62    )
63  )
64  and not profile.by_sender().any_messages_benign  
65attack_types:
66  - "Credential Phishing"
67tactics_and_techniques:
68  - "Impersonation: Brand"
69  - "Lookalike domain"
70  - "Social engineering"
71detection_methods:
72  - "Header analysis"
73  - "Sender analysis"
74id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"
to-top