EXPLORE
Sign In
← Back to Explore
sublimehighRule

Link: Credential phishing via WordPress

Detects when non-WordPress senders link to suspended or malicious WordPress blog sites, commonly used to redirect users to credential harvesting pages.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and sender.email.domain.root_domain != "wordpress.com"
// there are few links
and 0 < length(body.links) <= 5
// there are wordpress links
and any(body.links,
        .href_url.domain.root_domain == "wordpress.com"
        and .href_url.domain.domain != "wordpress.com"
)
// a single link to wordpress site
and length(filter(body.links,
                  .href_url.domain.root_domain == "wordpress.com"
                  and .href_url.domain.domain != "wordpress.com"
           )
) == 1

// not a reply
and length(headers.references) == 0
and headers.in_reply_to is null

// we detect the wordpress page has phishing
and any(filter(body.links, .href_url.domain.root_domain == "wordpress.com"),
        ml.link_analysis(.).credphish.disposition == "phishing"
        or strings.icontains(ml.link_analysis(.).final_dom.display_text,
                             'This blog has been archived or suspended in accordance with our Terms of Service'
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Credential phishing via WordPress"
description: "Detects when non-WordPress senders link to suspended or malicious WordPress blog sites, commonly used to redirect users to credential harvesting pages."
type: "rule"
severity: "high"
source: |
  type.inbound
  and sender.email.domain.root_domain != "wordpress.com"
  // there are few links
  and 0 < length(body.links) <= 5
  // there are wordpress links
  and any(body.links,
          .href_url.domain.root_domain == "wordpress.com"
          and .href_url.domain.domain != "wordpress.com"
  )
  // a single link to wordpress site
  and length(filter(body.links,
                    .href_url.domain.root_domain == "wordpress.com"
                    and .href_url.domain.domain != "wordpress.com"
             )
  ) == 1
  
  // not a reply
  and length(headers.references) == 0
  and headers.in_reply_to is null
  
  // we detect the wordpress page has phishing
  and any(filter(body.links, .href_url.domain.root_domain == "wordpress.com"),
          ml.link_analysis(.).credphish.disposition == "phishing"
          or strings.icontains(ml.link_analysis(.).final_dom.display_text,
                               'This blog has been archived or suspended in accordance with our Terms of Service'
          )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Free subdomain host"
detection_methods:
  - "URL analysis"
  - "Header analysis"
  - "Computer Vision"
id: "db696058-909c-585b-928e-7e64c9659015"