Brand impersonation: Github
Impersonation of Github.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Github"
2description: |
3 Impersonation of Github.
4references:
5 - "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and not strings.ilike(sender.display_name,
11 '*course*',
12 '*bootcamp*',
13 '*training*'
14 )
15 and (
16 strings.ilike(sender.display_name, '*github*')
17 or strings.ilike(sender.email.email, '*github*')
18 or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
19 )
20 // negating listservs
21 and not (
22 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
23 and strings.contains(sender.display_name, "via")
24 )
25 and sender.email.domain.root_domain not in (
26 'github.com',
27 'thegithubshop.com',
28 'gitlab.com',
29 'itthub.net',
30 'githubsupport.com',
31 'gtmhub.com',
32 'githubstatus.com',
33 'githubnext.com',
34 'lithub.com',
35 'icims.com',
36 'bithub.email',
37 'goldcast.io'
38 )
39
40 // negate highly trusted sender domains unless they fail DMARC authentication
41 and (
42 (
43 sender.email.domain.root_domain in $high_trust_sender_root_domains
44 and not headers.auth_summary.dmarc.pass
45 )
46 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47 )
48 and (
49 not profile.by_sender().solicited
50 or (
51 profile.by_sender().any_messages_malicious_or_spam
52 and not profile.by_sender().any_false_positives
53 )
54 )
55 and not profile.by_sender().any_false_positives
56attack_types:
57 - "Credential Phishing"
58tactics_and_techniques:
59 - "Impersonation: Brand"
60 - "Lookalike domain"
61 - "Social engineering"
62detection_methods:
63 - "Header analysis"
64 - "Sender analysis"
65id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"