diff --git a/detection-rules/link_github_notification_abuse.yml b/detection-rules/link_github_notification_abuse.yml
new file mode 100644
index 00000000000..50b77e153bf
--- /dev/null
+++ b/detection-rules/link_github_notification_abuse.yml
@@ -0,0 +1,37 @@
+name: "GitHub Notification Abuse"
+description: "This detection rule matches GitHub notifications which contain links to free file hosts, free subdomain hosts, and url shortners.  This has been seen in previous campaigns where malicious actors leveraged existing issues on public GitHub repositories by adding comments with links to Info Stealer malware."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // actual GitHub notifications
+  and sender.email.email == "notifications@github.com"
+  and all(headers.reply_to, .email.domain.domain == "reply.github.com")
+  and headers.return_path.email == "noreply@github.com"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+  // suspicious links
+  and any(
+      // filter any links that go back to GitHub
+      filter(body.links, .href_url.domain.root_domain != 'github.com'),
+          // see if the remaining links are within several lists
+          .href_url.domain.root_domain in $free_file_hosts
+          or (
+            .href_url.domain.root_domain in $free_subdomain_hosts
+            and .href_url.domain.subdomain is not null
+          )
+          or .href_url.domain.root_domain in $url_shorteners
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Free subdomain host"
+  - "Free file host"
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+  - "Content analysis"
+  - "URL analysis"
+id: "eabdee5e-1c96-543f-9786-26fda9cbe2d0"
+testing_pr: 1855
+testing_sha: df205895ad04b3022d8dd4e93c198b6923c59f95