Brand impersonation: Github
Impersonation of Github.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Github"
2description: |
3 Impersonation of Github.
4references:
5 - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and not strings.ilike(sender.display_name, '*course*', '*bootcamp*', '*training*')
11 and (
12 strings.ilike(sender.display_name, '*github*')
13 or strings.ilike(sender.email.email, '*github*')
14 or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
15 )
16 // negating listservs
17 and not (
18 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
19 and strings.contains(sender.display_name, "via")
20 )
21 and sender.email.domain.root_domain not in (
22 'github.com',
23 'gitlab.com',
24 'itthub.net',
25 'githubsupport.com',
26 'gtmhub.com',
27 'githubstatus.com',
28 'githubnext.com',
29 'lithub.com'
30 )
31 and (
32 (
33 sender.email.domain.root_domain in $free_email_providers
34 and sender.email.email not in $recipient_emails
35 )
36 or (
37 sender.email.domain.root_domain not in $free_email_providers
38 and sender.email.domain.domain not in $recipient_domains
39 )
40 )
41attack_types:
42 - "Credential Phishing"
43tactics_and_techniques:
44 - "Impersonation: Brand"
45 - "Lookalike domain"
46 - "Social engineering"
47detection_methods:
48 - "Header analysis"
49 - "Sender analysis"
50id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"