Link: WordPress admin targeting with recipient identifier in URL parts

Detects messages containing links to WordPress administrative paths (wp-admin, wp-content, wp-includes, etc.) where the URL fragment or query param values contains base64-encoded data that includes the recipient's email address, indicating potential targeted compromise attempts.

Sublime rule (View on GitHub)

 1name: "Link: WordPress admin targeting with recipient identifier in URL parts"
 2description: "Detects messages containing links to WordPress administrative paths (wp-admin, wp-content, wp-includes, etc.) where the URL fragment or query param values contains base64-encoded data that includes the recipient's email address, indicating potential targeted compromise attempts."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and recipients.to[0].email.domain.valid
 8  and any(body.links,
 9          regex.icontains(.href_url.path,
10                          '^\/(?:wp-(?:admin|includes|content|login|json|signup|activate|cron|mail)|xmlrpc\.php)'
11          )
12          and (
13            // fragments base64 encoded
14            any(strings.scan_base64(.href_url.fragment),
15                strings.icontains(., recipients.to[0].email.email)
16            )
17            // fragments not base64 encoded
18            or strings.icontains(.href_url.fragment, recipients.to[0].email.email)
19            // query param values are exactly the recipient
20            or (
21              any(flatten(values(.href_url.query_params_decoded)),
22                  . == recipients.to[0].email.email
23                  or any(strings.scan_base64(.),
24                         . == recipients.to[0].email.email
25                  )
26              )
27              // not an unsub URL
28              and not strings.icontains(.href_url.url, 'unsub')
29              // less than two query_params
30              and length(keys(.href_url.query_params_decoded)) <= 2
31            )
32          )
33  )  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Evasion"
38  - "Social engineering"
39detection_methods:
40  - "URL analysis"
41  - "Content analysis"
42id: "d1b86351-5bbd-5c76-9dd4-c4f49602664a"
to-top