Brand impersonation: Github

 1name: "Brand impersonation: Github"
 2description: |
 3    Impersonation of Github.
 4references:
 5  - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and not strings.ilike(sender.display_name,
11                        '*course*',
12                        '*bootcamp*',
13                        '*training*'
14  )
15  and (
16    strings.ilike(sender.display_name, '*github*')
17    or strings.ilike(sender.email.email, '*github*')
18    or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19  )
20  // negating listservs
21  and not (
22    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23    and strings.contains(sender.display_name, "via")
24  )
25  and sender.email.domain.root_domain not in (
26    'github.com',
27    'thegithubshop.com',
28    'gitlab.com',
29    'itthub.net',
30    'githubsupport.com',
31    'gtmhub.com',
32    'githubstatus.com',
33    'githubnext.com',
34    'lithub.com',
35    'icims.com',
36    'bithub.email',
37    'goldcast.io',
38    'luma-mail.com' // GitHub's event invitation software
39  )
40
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and not headers.auth_summary.dmarc.pass
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )
49  and (
50    not profile.by_sender().solicited
51    or (
52      profile.by_sender().any_messages_malicious_or_spam
53      and not profile.by_sender().any_false_positives
54    )
55  )
56  and not profile.by_sender().any_false_positives  
57attack_types:
58  - "Credential Phishing"
59tactics_and_techniques:
60  - "Impersonation: Brand"
61  - "Lookalike domain"
62  - "Social engineering"
63detection_methods:
64  - "Header analysis"
65  - "Sender analysis"
66id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"