Brand impersonation: Github

 1name: "Brand impersonation: Github"
 2description: |
 3    Impersonation of Github.
 4references:
 5  - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and not strings.ilike(sender.display_name,
11                        '*course*',
12                        '*bootcamp*',
13                        '*training*'
14  )
15  and (
16    strings.ilike(sender.display_name, '*github*')
17    or strings.ilike(sender.email.email, '*github*')
18    or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19  )
20  // negating listservs
21  and not (
22    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23    and strings.contains(sender.display_name, "via")
24  )
25  and sender.email.domain.root_domain not in (
26    'github.com',
27    'gitlab.com',
28    'itthub.net',
29    'githubsupport.com',
30    'gtmhub.com',
31    'githubstatus.com',
32    'githubnext.com',
33    'lithub.com',
34    'icims.com',
35    'bithub.email'
36  )
37
38  // negate highly trusted sender domains unless they fail DMARC authentication
39  and (
40    (
41      sender.email.domain.root_domain in $high_trust_sender_root_domains
42      and (
43        any(distinct(headers.hops, .authentication_results.dmarc is not null),
44            strings.ilike(.authentication_results.dmarc, "*fail")
45        )
46      )
47    )
48    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49  )
50  and (
51    not profile.by_sender().solicited
52    or (
53      profile.by_sender().any_messages_malicious_or_spam
54      and not profile.by_sender().any_false_positives
55    )
56  )
57  and not profile.by_sender().any_false_positives  
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Impersonation: Brand"
62  - "Lookalike domain"
63  - "Social engineering"
64detection_methods:
65  - "Header analysis"
66  - "Sender analysis"
67id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"