Suspected WordPress abuse with Cross-Site Scripting (XSS) indicators

Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators.

Sublime rule (View on GitHub)

 1name: "Suspected WordPress abuse with Cross-Site Scripting (XSS) indicators"
 2description: "Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.local_part == "wordpress"
 8  and (
 9    regex.icontains(body.current_thread.text,
10                    'document\.createElement.{0,9}script'
11    )
12    or 2 of (
13      strings.icount(subject.subject, "script") > 1,
14      strings.count(subject.subject, '%') >= 4,
15      strings.count(subject.subject, '\') >= 3,
16      strings.count(subject.subject, "/") >= 3,
17      strings.icontains(subject.subject, "xss"),
18      strings.contains(subject.subject, "CharCode"),
19      strings.contains(subject.subject, 'onload'),
20      strings.contains(subject.subject, 'fetch('),
21      strings.contains(subject.subject, "OnFocus="),
22      strings.contains(subject.subject, 'javascript:fetch'),
23      strings.icontains(subject.subject, "src="),
24      strings.icontains(subject.subject, "iframe"),
25      strings.icontains(subject.subject, "embed"),
26      strings.icontains(subject.subject, "object"),
27      strings.icontains(subject.subject, "onerror"),
28      strings.icontains(subject.subject, "onclick"),
29      strings.icontains(subject.subject, "onmouseover"),
30      strings.icontains(subject.subject, "onmouseout"),
31      strings.icontains(subject.subject, "onkeydown"),
32      strings.icontains(subject.subject, "onkeypress"),
33      strings.icontains(subject.subject, "onkeyup"),
34      strings.icontains(subject.subject, "onchange"),
35      strings.icontains(subject.subject, "oninput"),
36      strings.icontains(subject.subject, "onsubmit"),
37      regex.icontains(subject.subject, 'eval\b'),
38      strings.icontains(subject.subject, "alert"),
39      strings.icontains(subject.subject, "document.cookie"),
40      strings.icontains(subject.subject, "document.write"),
41      strings.icontains(subject.subject, "window.location"),
42      strings.icontains(subject.subject, "setTimeout"),
43      strings.icontains(subject.subject, "setInterval"),
44      strings.icontains(subject.subject, "atob"),
45      strings.icontains(subject.subject, "innerHTML"),
46      strings.icontains(subject.subject, "outerHTML"),
47      strings.icontains(subject.subject, "XMLHttpRequest"),
48      regex.icontains(subject.subject, 'import\b'),
49      strings.icontains(subject.subject, "execCommand")
50    )
51  )  
52
53attack_types:
54  - "Malware/Ransomware"
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Scripting"
58  - "Impersonation: Brand"
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "Sender analysis"
63id: "9c21225b-2dcf-5f72-b061-1c847129c319"
to-top