Brand impersonation: Github
Impersonation of Github.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Github"
2description: |
3 Impersonation of Github.
4references:
5 - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and not strings.ilike(sender.display_name,
11 '*course*',
12 '*bootcamp*',
13 '*training*'
14 )
15 and (
16 strings.ilike(sender.display_name, '*github*')
17 or strings.ilike(sender.email.email, '*github*')
18 or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19 )
20 // negating listservs
21 and not (
22 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23 and strings.contains(sender.display_name, "via")
24 )
25 and sender.email.domain.root_domain not in (
26 'github.com',
27 'gitlab.com',
28 'itthub.net',
29 'githubsupport.com',
30 'gtmhub.com',
31 'githubstatus.com',
32 'githubnext.com',
33 'lithub.com',
34 'icims.com',
35 'bithub.email'
36 )
37
38 // negate highly trusted sender domains unless they fail DMARC authentication
39 and (
40 (
41 sender.email.domain.root_domain in $high_trust_sender_root_domains
42 and (
43 any(distinct(headers.hops, .authentication_results.dmarc is not null),
44 strings.ilike(.authentication_results.dmarc, "*fail")
45 )
46 )
47 )
48 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49 )
50 and (
51 not profile.by_sender().solicited
52 or (
53 profile.by_sender().any_messages_malicious_or_spam
54 and not profile.by_sender().any_false_positives
55 )
56 )
57 and not profile.by_sender().any_false_positives
58attack_types:
59 - "Credential Phishing"
60tactics_and_techniques:
61 - "Impersonation: Brand"
62 - "Lookalike domain"
63 - "Social engineering"
64detection_methods:
65 - "Header analysis"
66 - "Sender analysis"
67id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"