Link: Credential Phishing via WordPress

 1name: "Link: Credential Phishing via WordPress"
 2description: "Detects when non-WordPress senders link to suspended or malicious WordPress blog sites, commonly used to redirect users to credential harvesting pages."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain != "wordpress.com"
 8  // there are few links
 9  and 0 < length(body.links) <= 5
10  // there are wordpress links
11  and any(body.links,
12          .href_url.domain.root_domain == "wordpress.com"
13          and .href_url.domain.domain != "wordpress.com"
14  )
15  // a single link to wordpress site
16  and length(filter(body.links,
17                    .href_url.domain.root_domain == "wordpress.com"
18                    and .href_url.domain.domain != "wordpress.com"
19             )
20  ) == 1
21  
22  // not a reply
23  and length(headers.references) == 0
24  and headers.in_reply_to is null
25  
26  // we detect the wordpress page has phishing
27  and any(filter(body.links, .href_url.domain.root_domain == "wordpress.com"),
28          ml.link_analysis(.).credphish.disposition == "phishing"
29          or strings.icontains(ml.link_analysis(.).final_dom.display_text,
30                               'This blog has been archived or suspended in accordance with our Terms of Service'
31          )
32  )  
33
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Social engineering"
38  - "Free subdomain host"
39detection_methods:
40  - "URL analysis"
41  - "Header analysis"
42  - "Computer Vision"
43id: "db696058-909c-585b-928e-7e64c9659015"