Spam: Unsolicited WordPress account creation or password reset request
Detects messages containing WordPress password reset links where the login parameter does not match the recipient's email address. The rule triggers for unsolicited senders, previously malicious senders, or when DMARC authentication fails.
Sublime rule (View on GitHub)
1name: "Spam: Unsolicited WordPress account creation or password reset request"
2description: "Detects messages containing WordPress password reset links where the login parameter does not match the recipient's email address. The rule triggers for unsolicited senders, previously malicious senders, or when DMARC authentication fails."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and body.html.raw is null
8 and any(body.links,
9 .href_url.path == "/wp-login.php"
10 and any(.href_url.query_params_decoded["key"], . is not null)
11 and any(.href_url.query_params_decoded["login"],
12 any(recipients.to,
13 .email.local_part != .. and .email.email != ..
14 )
15 )
16 )
17 and (
18 (
19 not profile.by_sender().solicited
20 and profile.by_sender().prevalence == "new"
21 )
22 or (
23 profile.by_sender().any_messages_malicious_or_spam
24 and not profile.by_sender().any_messages_benign
25 )
26 or not headers.auth_summary.dmarc.pass
27 )
28tags:
29 - "Attack surface reduction"
30attack_types:
31 - "Spam"
32tactics_and_techniques:
33 - "Social engineering"
34detection_methods:
35 - "Header analysis"
36 - "Sender analysis"
37 - "URL analysis"
38id: "e182b6b2-6980-5729-b9a5-221867b5093b"
Related rules
- Attachment: OLE external relationship containing file scheme link to executable filetype
- Reconnaissance: Large unknown recipient list
- Headers: Invalid recipient domain with mismatched reply-to from new sender
- Attachment: HTML smuggling with base64 encoded ZIP file
- Service abuse: Facebook business with action required subject