Brand impersonation: Github

 1name: "Brand impersonation: Github"
 2description: |
 3    Impersonation of Github.
 4references:
 5  - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and not strings.ilike(sender.display_name, '*course*', '*bootcamp*', '*training*')
11  and (
12    strings.ilike(sender.display_name, '*github*')
13    or strings.ilike(sender.email.email, '*github*')
14    or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
15  )
16  // negating listservs
17  and not (
18      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
19      and strings.contains(sender.display_name, "via")
20  )
21  and sender.email.domain.root_domain not in (
22    'github.com',
23    'gitlab.com',
24    'itthub.net',
25    'githubsupport.com',
26    'gtmhub.com',
27    'githubstatus.com',
28    'githubnext.com',
29    'lithub.com'
30  )
31  and (
32    (
33      sender.email.domain.root_domain in $free_email_providers
34      and sender.email.email not in $recipient_emails
35    )
36    or (
37      sender.email.domain.root_domain not in $free_email_providers
38      and sender.email.domain.domain not in $recipient_domains
39    )
40  )  
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "Impersonation: Brand"
45  - "Lookalike domain"
46  - "Social engineering"
47detection_methods:
48  - "Header analysis"
49  - "Sender analysis"
50id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"