Link: Suspicious wp-admin path from mismatched sender domain
Detects inbound messages containing links that point to a WordPress admin path (single directory under /wp-admin/ with no subdirectories or file extensions) where the link domain does not match the sender's domain. This mismatch, combined with the use of a sensitive admin path, is indicative of malicious activity. Messages from high-trust senders and known web security services passing DMARC are excluded.
Sublime rule (View on GitHub)
1name: "Link: Suspicious wp-admin path from mismatched sender domain"
2description: "Detects inbound messages containing links that point to a WordPress admin path (single directory under /wp-admin/ with no subdirectories or file extensions) where the link domain does not match the sender's domain. This mismatch, combined with the use of a sensitive admin path, is indicative of malicious activity. Messages from high-trust senders and known web security services passing DMARC are excluded."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // single file/directory under wp-admin which doesn't contain a .
8 and any(body.links,
9 regex.icontains(.href_url.path, '^/wp-admin/[^/\.]+/?$')
10 // domain is not the same as the sender domain
11 and .href_url.domain.root_domain != sender.email.domain.root_domain
12 )
13 and not (
14 (
15 sender.email.domain.root_domain in $high_trust_sender_root_domains
16 // website security companies that send reports via email
17 or sender.email.domain.root_domain in ('imperva.com', 'urllo.com')
18 )
19 and coalesce(headers.auth_summary.dmarc.pass, false)
20 )
21
22attack_types:
23 - "Credential Phishing"
24tactics_and_techniques:
25 - "Evasion"
26 - "Social engineering"
27 - "Spoofing"
28detection_methods:
29 - "URL analysis"
30 - "Sender analysis"
31 - "Header analysis"
32id: "e8fa7870-b771-5dcd-b5f3-59f866ba00e2"