Link: Suspicious wp-admin path from mismatched sender domain

Detects inbound messages containing links that point to a WordPress admin path (single directory under /wp-admin/ with no subdirectories or file extensions) where the link domain does not match the sender's domain. This mismatch, combined with the use of a sensitive admin path, is indicative of malicious activity. Messages from high-trust senders and known web security services passing DMARC are excluded.

Sublime rule (View on GitHub)

 1name: "Link: Suspicious wp-admin path from mismatched sender domain"
 2description: "Detects inbound messages containing links that point to a WordPress admin path (single directory under /wp-admin/ with no subdirectories or file extensions) where the link domain does not match the sender's domain. This mismatch, combined with the use of a sensitive admin path, is indicative of malicious activity. Messages from high-trust senders and known web security services passing DMARC are excluded."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // single file/directory under wp-admin which doesn't contain a .
 8  and any(body.links,
 9          regex.icontains(.href_url.path, '^/wp-admin/[^/\.]+/?$')
10          // domain is not the same as the sender domain
11          and .href_url.domain.root_domain != sender.email.domain.root_domain
12  )
13  and not (
14    (
15      sender.email.domain.root_domain in $high_trust_sender_root_domains
16      // website security companies that send reports via email
17      or sender.email.domain.root_domain in ('imperva.com', 'urllo.com')
18    )
19    and coalesce(headers.auth_summary.dmarc.pass, false)
20  )
21    
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Evasion"
26  - "Social engineering"
27  - "Spoofing"
28detection_methods:
29  - "URL analysis"
30  - "Sender analysis"
31  - "Header analysis"
32id: "e8fa7870-b771-5dcd-b5f3-59f866ba00e2"
to-top