Skip to content

New rule: Thread hijacking with typosquat domain #3402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Nov 4, 2025
Merged

New rule: Thread hijacking with typosquat domain #3402

merged 7 commits into from
Nov 4, 2025

Conversation

@aidenmitchell
Copy link
Member

@aidenmitchell aidenmitchell commented Oct 10, 2025

Description

Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation.

Associated samples

@aidenmitchell
New rule: Thread hijacking with typosquat domain
11b992b 
Adds a detection rule for vendor impersonation through thread hijacking using typosquat domains.
@aidenmitchell aidenmitchell requested a review from a team as a code owner October 10, 2025 20:53
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Oct 10, 2025
github-actions bot added a commit that referenced this pull request Oct 10, 2025
@github-actions
[PR #3402] added rule: Vendor impersonation: Thread hijacking with ty…
6efacb6 
…posquat domain
github-actions bot added a commit that referenced this pull request Oct 15, 2025
@github-actions
[PR #3402] Delete detection rule
83a8ece
github-actions bot added a commit that referenced this pull request Oct 15, 2025
@github-actions
[PR #3402] added rule: Vendor impersonation: Thread hijacking with ty…
45465da 
…posquat domain
github-actions bot added a commit that referenced this pull request Oct 17, 2025
@github-actions
[PR #3402] modified rule: Vendor impersonation: Thread hijacking with…
e39e181 
… typosquat domain
alex-herold and others added 3 commits October 28, 2025 07:59
@alex-herold
Sync .github directory from main branch
07f1616 
- Applied .github directory from main to aiden.new.vendorhijack
- Ensures workflows and GitHub configurations are up to date
- Automated sync via script
@aidenmitchell
Update vendor_impersonation_thread_hijack.yml
05ca72f
@aidenmitchell
Merge branch 'main' into aiden.new.vendorhijack
be3a0ab
@aidenmitchell aidenmitchell added the review-needed Indicates that a PR is waiting for review label Nov 3, 2025
github-actions bot added a commit that referenced this pull request Nov 3, 2025
@github-actions
[PR #3402] modified rule: Vendor impersonation: Thread hijacking with…
fe58d94 
… typosquat domain
@aidenmitchell aidenmitchell added this pull request to the merge queue Nov 4, 2025
Merged via the queue into main with commit 69019b3 Nov 4, 2025
3 checks passed
@aidenmitchell aidenmitchell deleted the aiden.new.vendorhijack branch November 4, 2025 13:22
github-actions bot added a commit that referenced this pull request Nov 4, 2025
@github-actions
[PR #3402] Delete detection rule
8621759
@IndiaAce IndiaAce mentioned this pull request Nov 5, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IndiaAce IndiaAce IndiaAce approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aidenmitchell @IndiaAce @alex-herold