Link: WordPress admin targeting with recipient identifier in URL fragment

calendar Apr 16, 2026  ·
Share on: linkedin copy

Detects messages containing links to WordPress administrative paths (wp-admin, wp-content, wp-includes, etc.) where the URL fragment contains base64-encoded data that includes the recipient's email address, indicating potential targeted compromise attempts.

Sublime rule (View on GitHub)

 1name: "Link: WordPress admin targeting with recipient identifier in URL fragment"
 2description: "Detects messages containing links to WordPress administrative paths (wp-admin, wp-content, wp-includes, etc.) where the URL fragment contains base64-encoded data that includes the recipient's email address, indicating potential targeted compromise attempts."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          regex.icontains(.href_url.path,
 9                          '^\/(?:wp-(?:admin|includes|content|login|json|signup|activate|cron|mail)|xmlrpc\.php)'
10          )
11          // base64 encoded
12          and (
13            any(strings.scan_base64(.href_url.fragment),
14                strings.icontains(., recipients.to[0].email.email)
15            )
16            // not base64
17            or strings.icontains(.href_url.fragment, recipients.to[0].email.email)
18          )
19  )  
20attack_types:
21  - "Credential Phishing"
22tactics_and_techniques:
23  - "Evasion"
24  - "Social engineering"
25detection_methods:
26  - "URL analysis"
27  - "Content analysis"
28id: "d1b86351-5bbd-5c76-9dd4-c4f49602664a"
to-top