Skip to content

Add brand impersonation detection for commonly abused names#38

Closed
Copilot wants to merge 7 commits intomasterfrom
copilot/extend-plugin-checks-for-abused-names
Closed

Add brand impersonation detection for commonly abused names#38
Copilot wants to merge 7 commits intomasterfrom
copilot/extend-plugin-checks-for-abused-names

Conversation

Copy link

Copilot AI commented Feb 6, 2026
edited
Loading

Detects brand names in email headers/subject (e.g., "costco", "paypal") and rejects messages when the sending domain doesn't match the legitimate domain. Addresses phishing attempts like From: "Costco Support" <spam@spammer.com> with subject containing "Costco".

Implementation

  • Configuration: [commonly_abused] section maps brand names to legitimate domains, supporting variations (costco=costco.com, c0stc0=costco.com)

  • Detection logic: New check_abused_names hook on data_post that:

    • Extracts domains from envelope MAIL FROM and header From using RFC-compliant regex (hyphens only mid-label)
    • Checks envelope from local part, header from display name, and subject against pre-compiled word-boundary patterns
    • Rejects via DENY when brand name found but neither envelope nor header domain matches legitimate OD

  • Performance: Regex patterns pre-compiled during config load and cached in cfg.commonly_abused_patterns

  • False positive prevention: Word boundary matching prevents "purchase" from triggering "chase", "tamazon.com" from triggering "amazon"

Example

[commonly_abused]
costco=costco.com
c0stc0=costco.com  # leetspeak variation
paypal=paypal.com

Rejects when costco appears in headers but domain is spammer.com. Allows when domain is costco.com or mail.costco.com.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 5 commits February 6, 2026 20:34
@msimerson
Add commonly abused names detection feature
fb8428f 
Co-authored-by: msimerson <261635+msimerson@users.noreply.github.com>
@msimerson
Add documentation for commonly abused names feature
33bdfe6 
Co-authored-by: msimerson <261635+msimerson@users.noreply.github.com>
@msimerson
Improve pattern matching to avoid false positives
4927e86 
Co-authored-by: msimerson <261635+msimerson@users.noreply.github.com>
@msimerson
Pre-compile regex patterns and remove generic 'ups' brand
46aa44f 
Co-authored-by: msimerson <261635+msimerson@users.noreply.github.com>
@msimerson
Fix regex escaping, improve domain validation, add test cleanup
be78032 
Co-authored-by: msimerson <261635+msimerson@users.noreply.github.com>
Copilot AI changed the title [WIP] Extend plugin to check for commonly abused names Add brand impersonation detection for commonly abused names Feb 6, 2026
Copilot AI requested a review from msimerson February 6, 2026 20:45
@msimerson msimerson closed this Feb 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msimerson msimerson Awaiting requested review from msimerson

Assignees

@msimerson msimerson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msimerson