Brand impersonation: Github
Impersonation of Github.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Github"
2description: |
3 Impersonation of Github.
4references:
5 - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and not strings.ilike(sender.display_name,
11 '*course*',
12 '*bootcamp*',
13 '*training*'
14 )
15 and (
16 strings.ilike(sender.display_name, '*github*')
17 or strings.ilike(sender.email.email, '*github*')
18 or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19 )
20 // negating listservs
21 and not (
22 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23 and strings.contains(sender.display_name, "via")
24 )
25 and sender.email.domain.root_domain not in (
26 'github.com',
27 'thegithubshop.com',
28 'gitlab.com',
29 'itthub.net',
30 'githubsupport.com',
31 'gtmhub.com',
32 'githubstatus.com',
33 'githubnext.com',
34 'lithub.com',
35 'icims.com',
36 'bithub.email',
37 'goldcast.io',
38 'luma-mail.com', // GitHub's event invitation software
39 'github.events' // GitHub event newsletters
40 )
41
42 // negate highly trusted sender domains unless they fail DMARC authentication
43 and (
44 (
45 sender.email.domain.root_domain in $high_trust_sender_root_domains
46 and not headers.auth_summary.dmarc.pass
47 )
48 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49 )
50 and (
51 not profile.by_sender().solicited
52 or (
53 profile.by_sender().any_messages_malicious_or_spam
54 and not profile.by_sender().any_false_positives
55 )
56 )
57 and not profile.by_sender().any_false_positives
58attack_types:
59 - "Credential Phishing"
60tactics_and_techniques:
61 - "Impersonation: Brand"
62 - "Lookalike domain"
63 - "Social engineering"
64detection_methods:
65 - "Header analysis"
66 - "Sender analysis"
67id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"