From bf62f17de84c0f7f21def7cf41c4015f552ab5f6 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Mon, 18 Sep 2023 08:48:58 -0700
Subject: [PATCH] Updating rule: impersonation_github.yml (#796)

---
 detection-rules/impersonation_github.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml
index 7f60c752bac..8b3b3e79a5f 100644
--- a/detection-rules/impersonation_github.yml
+++ b/detection-rules/impersonation_github.yml
@@ -13,6 +13,11 @@ source: |
     or strings.ilike(sender.email.email, '*github*')
     or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
   )
+  // negating listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in (
     'github.com',
     'gitlab.com',