Suspected WordPress abuse with Cross-Site Scripting (XSS) indicators
Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators.
Sublime rule (View on GitHub)
1name: "Suspected WordPress abuse with Cross-Site Scripting (XSS) indicators"
2description: "Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and sender.email.local_part == "wordpress"
8 and (
9 regex.icontains(body.current_thread.text,
10 'document\.createElement.{0,9}script'
11 )
12 or 2 of (
13 strings.icount(subject.subject, "script") > 1,
14 strings.count(subject.subject, '%') >= 4,
15 strings.count(subject.subject, '\') >= 3,
16 strings.count(subject.subject, "/") >= 3,
17 strings.icontains(subject.subject, "xss"),
18 strings.contains(subject.subject, "CharCode"),
19 strings.contains(subject.subject, 'onload'),
20 strings.contains(subject.subject, 'fetch('),
21 strings.contains(subject.subject, "OnFocus="),
22 strings.contains(subject.subject, 'javascript:fetch'),
23 strings.icontains(subject.subject, "src="),
24 strings.icontains(subject.subject, "iframe"),
25 strings.icontains(subject.subject, "embed"),
26 strings.icontains(subject.subject, "object"),
27 strings.icontains(subject.subject, "onerror"),
28 strings.icontains(subject.subject, "onclick"),
29 strings.icontains(subject.subject, "onmouseover"),
30 strings.icontains(subject.subject, "onmouseout"),
31 strings.icontains(subject.subject, "onkeydown"),
32 strings.icontains(subject.subject, "onkeypress"),
33 strings.icontains(subject.subject, "onkeyup"),
34 strings.icontains(subject.subject, "onchange"),
35 strings.icontains(subject.subject, "oninput"),
36 strings.icontains(subject.subject, "onsubmit"),
37 regex.icontains(subject.subject, 'eval\b'),
38 strings.icontains(subject.subject, "alert"),
39 strings.icontains(subject.subject, "document.cookie"),
40 strings.icontains(subject.subject, "document.write"),
41 strings.icontains(subject.subject, "window.location"),
42 strings.icontains(subject.subject, "setTimeout"),
43 strings.icontains(subject.subject, "setInterval"),
44 strings.icontains(subject.subject, "atob"),
45 strings.icontains(subject.subject, "innerHTML"),
46 strings.icontains(subject.subject, "outerHTML"),
47 strings.icontains(subject.subject, "XMLHttpRequest"),
48 regex.icontains(subject.subject, 'import\b'),
49 strings.icontains(subject.subject, "execCommand")
50 )
51 )
52
53attack_types:
54 - "Malware/Ransomware"
55 - "Credential Phishing"
56tactics_and_techniques:
57 - "Scripting"
58 - "Impersonation: Brand"
59 - "Social engineering"
60detection_methods:
61 - "Content analysis"
62 - "Sender analysis"
63id: "9c21225b-2dcf-5f72-b061-1c847129c319"