Link: WordPress login page with Blogspot Binance scam

calendar Feb 17, 2026  ·
Share on: linkedin copy

Detects messages containing WordPress login links (/wp-login.php) combined with Blogspot domains and Binance cryptocurrency scam language patterns in the body text.

Sublime rule (View on GitHub)

 1name: "Link: WordPress login page with Blogspot Binance scam"
 2description: "Detects messages containing WordPress login links (/wp-login.php) combined with Blogspot domains and Binance cryptocurrency scam language patterns in the body text."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links, .display_url.path == '/wp-login.php')
 8  and regex.icontains(body.current_thread.text,
 9                      '[a-z]{5,10}\.blogspot\.[a-z.]{2,6}\s*-\s*\d[\d\s]*\s*(USD|EURO?)\s*BINANCE'
10  )  
11
12attack_types:
13  - "Credential Phishing"
14  - "BEC/Fraud"
15tactics_and_techniques:
16  - "Social engineering"
17  - "Free subdomain host"
18  - "Impersonation: Brand"
19detection_methods:
20  - "Content analysis"
21  - "URL analysis"
22id: "909dfae5-89f4-5703-99b5-47d0f8379439"
to-top