← Back to Explore
sublimemediumRule
Link: WordPress login page with Blogspot Binance scam
Detects messages containing WordPress login links (/wp-login.php) combined with Blogspot domains and Binance cryptocurrency scam language patterns in the body text.
Detection Query
type.inbound
and any(body.links, .display_url.path == '/wp-login.php')
and regex.icontains(body.current_thread.text,
'[a-z]{5,10}\.blogspot\.[a-z.]{2,6}\s*-\s*\d[\d\s]*\s*(USD|EURO?)\s*BINANCE'
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: WordPress login page with Blogspot Binance scam"
description: "Detects messages containing WordPress login links (/wp-login.php) combined with Blogspot domains and Binance cryptocurrency scam language patterns in the body text."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links, .display_url.path == '/wp-login.php')
and regex.icontains(body.current_thread.text,
'[a-z]{5,10}\.blogspot\.[a-z.]{2,6}\s*-\s*\d[\d\s]*\s*(USD|EURO?)\s*BINANCE'
)
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Social engineering"
- "Free subdomain host"
- "Impersonation: Brand"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "909dfae5-89f4-5703-99b5-47d0f8379439"