Sync from PR#1855

Create link_github_notification_abuse.yml by @zoomequipd
#1855
Source SHA 85c662c
Triggered by @zoomequipd

detection-rules/link_github_notification_abuse.yml

@@ -2,7 +2,7 @@ name: "GitHub Notification Abuse"
 description: "This detection rule matches GitHub notifications which contain links to free file hosts, free subdomain hosts, and url shortners.  This has been seen in previous campaigns where malicious actors leveraged existing issues on public GitHub repositories by adding comments with links to Info Stealer malware."
 type: "rule"
 severity: "medium"
-source: "type.inbound\n// actual GitHub notifications\nand sender.email.email == \"[email protected]\"\nand all(headers.reply_to, .email.domain.domain == \"reply.github.com\")\nand headers.return_path.email == \"[email protected]\"\nand headers.auth_summary.spf.pass\nand headers.auth_summary.dmarc.pass\n\n// remove github bots\nand not strings.iends_with(sender.display_name, \"[bot]\")\n\n// only match messages with short bodies\nand length(body.html.display_text) <= 500\n\n// remove messages that have <pre> tag which would indicate a code comment\nand not strings.icontains(body.html.raw, '<pre>')\n\n// do not match messages where the sender display name is in the org display names.  \n// This attempts to avoid catching internal employees comenting on org repos\nand not any($org_display_names, . =~ sender.display_name)\n\n// match messages with suspicious links\nand any(\n        // filter any links that go back to github\n        filter(body.links,\n               .href_url.domain.root_domain not in (\n                 'github.com',\n                 'githubusercontent.com',\n                 'github.io',\n                 'githubsupport.com',\n                 'githubstatus.com'\n               )\n        ),\n        // see if the remaining links are within several lists\n        .href_url.domain.root_domain in $free_file_hosts\n        or (\n          .href_url.domain.root_domain in $free_subdomain_hosts\n          and .href_url.domain.subdomain is not null\n        )\n        or .href_url.domain.root_domain in $url_shorteners\n)\n"
+source: "type.inbound\n// actual GitHub notifications\nand sender.email.email == \"[email protected]\"\nand all(headers.reply_to, .email.domain.domain == \"reply.github.com\")\nand headers.return_path.email == \"[email protected]\"\nand headers.auth_summary.spf.pass\nand headers.auth_summary.dmarc.pass\n\n// remove github bots\nand not strings.iends_with(sender.display_name, \"[bot]\")\n\n// only match messages with short bodies\nand length(body.html.display_text) <= 500\n\n// remove messages that have <pre> tag which would indicate a code comment\nand not strings.icontains(body.html.raw, '<pre>')\n\n// do not match messages where the sender display name is in the org display names.  \n// This attempts to avoid catching internal employees commenting on org repos\nand not any($org_display_names, . =~ sender.display_name)\n\n// match messages with suspicious links\nand any(\n        // filter any links that go back to github\n        filter(body.links,\n               .href_url.domain.root_domain not in (\n                 'github.com',\n                 'githubusercontent.com',\n                 'github.io',\n                 'githubsupport.com',\n                 'githubstatus.com'\n               )\n        ),\n        // see if the remaining links are within several lists\n        .href_url.domain.root_domain in $free_file_hosts\n        or (\n          .href_url.domain.root_domain in $free_subdomain_hosts\n          and .href_url.domain.subdomain is not null\n        )\n        or .href_url.domain.root_domain in $url_shorteners\n)\n"
 attack_types:
   - "Malware/Ransomware"
 tactics_and_techniques:
@@ -15,4 +15,4 @@ detection_methods:
   - "URL analysis"
 id: "eabdee5e-1c96-543f-9786-26fda9cbe2d0"
 testing_pr: 1855
-testing_sha: 5b6042103de21cc26d71ad82f2041b2085c831ff
+testing_sha: 85c662ccbccbdb9bea26003cd867d936848ec5e8