Brand impersonation: Github

Impersonation of Github.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Github"
 2description: |
 3    Impersonation of Github.
 4references:
 5  - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and not strings.ilike(sender.display_name,
11                        '*course*',
12                        '*bootcamp*',
13                        '*training*'
14  )
15  and (
16    strings.ilike(sender.display_name, '*github*')
17    or strings.ilike(sender.email.email, '*github*')
18    or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19  )
20  // negating listservs
21  and not (
22    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23    and (
24      strings.contains(sender.display_name, "via")
25      or strings.icontains(subject.subject, "monitor")
26    )
27  )
28  and sender.email.domain.root_domain not in (
29    'github.com',
30    'thegithubshop.com',
31    'gitlab.com',
32    'itthub.net',
33    'githubsupport.com',
34    'gtmhub.com',
35    'githubstatus.com',
36    'githubnext.com',
37    'lithub.com',
38    'icims.com',
39    'bithub.email',
40    'goldcast.io',
41    'luma-mail.com', // GitHub's event invitation software
42    'github.events' // GitHub event newsletters
43  )
44  
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    (
48      sender.email.domain.root_domain in $high_trust_sender_root_domains
49      and not headers.auth_summary.dmarc.pass
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )
53  and (
54    not profile.by_sender().solicited
55    or (
56      profile.by_sender().any_messages_malicious_or_spam
57      and not profile.by_sender().any_messages_benign
58    )
59  )
60  and not profile.by_sender().any_messages_benign  
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Impersonation: Brand"
65  - "Lookalike domain"
66  - "Social engineering"
67detection_methods:
68  - "Header analysis"
69  - "Sender analysis"
70id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"
to-top