← Back to Explore
sublimehighRule
Brand impersonation: Github (sawfish campaign)
Impersonation of Github, potentially as part of the sawfish campaign, seeking to harvest Github credentials.
Detection Query
type.inbound
and (
sender.email.domain.domain != 'github.com'
or headers.return_path.domain.root_domain != 'github.com'
)
and 2 of (
regex.icontains(body.plain.raw,
'.*account activity.*',
'.*your activity.*',
'.*suspicious api call.*'
),
regex.icontains(body.html.inner_text,
'.*account activity.*',
'.*your activity.*',
'.*suspicious api call.*'
),
regex.icontains(subject.subject,
'.*account activity.*',
'.*your activity.*',
'.*suspicious api call.*'
)
)
and 1 of (
strings.ilike(sender.display_name, '*github*'),
strings.ilike(sender.email.email, '*github*'),
strings.ilike(subject.subject, '*github*')
)
or any(body.links,
.href_url.domain.root_domain in (
'secure-git.org',
'auth-glthub.com',
'secure-glthub.com',
'githb.net',
'github-team.com',
'githubb.net',
'aws-update.net',
'corp-github.com',
'ensure-https.com',
'git-hub.co',
'git-secure-service.in',
'githb.co',
'glt-app.net',
'glt-hub.com',
'glthub.co',
'glthub.info',
'glthub.net',
'glthubb.info',
'glthube.app',
'glthubs.com',
'glthubs.info',
'glthubs.net',
'glthubse.info',
'slack-app.net',
'ssl-connection.net',
'sso-github.com',
'sts-github.com',
'tsl-github.com'
)
)
and sender.email.email not in $recipient_emails
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Brand impersonationCredential phishing
Raw Content
name: "Brand impersonation: Github (sawfish campaign)"
description: |
Impersonation of Github, potentially as part of the sawfish campaign, seeking to harvest Github credentials.
references:
- "https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/"
- "https://twitter.com/DanielGallagher/status/1372280418582552578"
type: "rule"
severity: "high"
source: |
type.inbound
and (
sender.email.domain.domain != 'github.com'
or headers.return_path.domain.root_domain != 'github.com'
)
and 2 of (
regex.icontains(body.plain.raw,
'.*account activity.*',
'.*your activity.*',
'.*suspicious api call.*'
),
regex.icontains(body.html.inner_text,
'.*account activity.*',
'.*your activity.*',
'.*suspicious api call.*'
),
regex.icontains(subject.subject,
'.*account activity.*',
'.*your activity.*',
'.*suspicious api call.*'
)
)
and 1 of (
strings.ilike(sender.display_name, '*github*'),
strings.ilike(sender.email.email, '*github*'),
strings.ilike(subject.subject, '*github*')
)
or any(body.links,
.href_url.domain.root_domain in (
'secure-git.org',
'auth-glthub.com',
'secure-glthub.com',
'githb.net',
'github-team.com',
'githubb.net',
'aws-update.net',
'corp-github.com',
'ensure-https.com',
'git-hub.co',
'git-secure-service.in',
'githb.co',
'glt-app.net',
'glt-hub.com',
'glthub.co',
'glthub.info',
'glthub.net',
'glthubb.info',
'glthube.app',
'glthubs.com',
'glthubs.info',
'glthubs.net',
'glthubse.info',
'slack-app.net',
'ssl-connection.net',
'sso-github.com',
'sts-github.com',
'tsl-github.com'
)
)
and sender.email.email not in $recipient_emails
tags:
- "Brand impersonation"
- "Credential phishing"