Link: WordPress admin targeting with recipient identifier in URL parts
Detects messages containing links to WordPress administrative paths (wp-admin, wp-content, wp-includes, etc.) where the URL fragment or query param values contains base64-encoded data that includes the recipient's email address, indicating potential targeted compromise attempts.
Sublime rule (View on GitHub)
1name: "Link: WordPress admin targeting with recipient identifier in URL parts"
2description: "Detects messages containing links to WordPress administrative paths (wp-admin, wp-content, wp-includes, etc.) where the URL fragment or query param values contains base64-encoded data that includes the recipient's email address, indicating potential targeted compromise attempts."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and recipients.to[0].email.domain.valid
8 and any(body.links,
9 regex.icontains(.href_url.path,
10 '^\/(?:wp-(?:admin|includes|content|login|json|signup|activate|cron|mail)|xmlrpc\.php)'
11 )
12 and (
13 // fragments base64 encoded
14 any(strings.scan_base64(.href_url.fragment),
15 strings.icontains(., recipients.to[0].email.email)
16 )
17 // fragments not base64 encoded
18 or strings.icontains(.href_url.fragment, recipients.to[0].email.email)
19 // query param values are exactly the recipient
20 or (
21 any(flatten(values(.href_url.query_params_decoded)),
22 . == recipients.to[0].email.email
23 or any(strings.scan_base64(.),
24 . == recipients.to[0].email.email
25 )
26 )
27 // not an unsub URL
28 and not strings.icontains(.href_url.url, 'unsub')
29 // less than two query_params
30 and length(keys(.href_url.query_params_decoded)) <= 2
31 )
32 )
33 )
34attack_types:
35 - "Credential Phishing"
36tactics_and_techniques:
37 - "Evasion"
38 - "Social engineering"
39detection_methods:
40 - "URL analysis"
41 - "Content analysis"
42id: "d1b86351-5bbd-5c76-9dd4-c4f49602664a"