Brand impersonation: Github

 1name: "Brand impersonation: Github"
 2description: |
 3    Impersonation of Github.
 4references:
 5  - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and not strings.ilike(sender.display_name,
11                        '*course*',
12                        '*bootcamp*',
13                        '*training*'
14  )
15  and (
16    strings.ilike(sender.display_name, '*github*')
17    or strings.ilike(sender.email.email, '*github*')
18    or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19  )
20  // negating listservs
21  and not (
22    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23    and strings.contains(sender.display_name, "via")
24  )
25  and sender.email.domain.root_domain not in (
26    'github.com',
27    'thegithubshop.com',
28    'gitlab.com',
29    'itthub.net',
30    'githubsupport.com',
31    'gtmhub.com',
32    'githubstatus.com',
33    'githubnext.com',
34    'lithub.com',
35    'icims.com',
36    'bithub.email',
37    'goldcast.io'
38  )
39
40  // negate highly trusted sender domains unless they fail DMARC authentication
41  and (
42    (
43      sender.email.domain.root_domain in $high_trust_sender_root_domains
44      and not headers.auth_summary.dmarc.pass
45    )
46    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47  )
48  and (
49    not profile.by_sender().solicited
50    or (
51      profile.by_sender().any_messages_malicious_or_spam
52      and not profile.by_sender().any_false_positives
53    )
54  )
55  and not profile.by_sender().any_false_positives  
56attack_types:
57  - "Credential Phishing"
58tactics_and_techniques:
59  - "Impersonation: Brand"
60  - "Lookalike domain"
61  - "Social engineering"
62detection_methods:
63  - "Header analysis"
64  - "Sender analysis"
65id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"