← Back to Explore
sublimelowRule
Spam: Unsolicited WordPress account creation or password reset request
Detects messages containing WordPress password reset links where the login parameter does not match the recipient's email address. The rule triggers for unsolicited senders, previously malicious senders, or when DMARC authentication fails.
Detection Query
type.inbound
and body.html.raw is null
and any(body.links,
.href_url.path == "/wp-login.php"
and any(.href_url.query_params_decoded["key"], . is not null)
and any(.href_url.query_params_decoded["login"],
any(recipients.to,
.email.local_part != .. and .email.email != ..
)
)
)
and (
(
not profile.by_sender().solicited
and profile.by_sender().prevalence == "new"
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or not headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Spam: Unsolicited WordPress account creation or password reset request"
description: "Detects messages containing WordPress password reset links where the login parameter does not match the recipient's email address. The rule triggers for unsolicited senders, previously malicious senders, or when DMARC authentication fails."
type: "rule"
severity: "low"
source: |
type.inbound
and body.html.raw is null
and any(body.links,
.href_url.path == "/wp-login.php"
and any(.href_url.query_params_decoded["key"], . is not null)
and any(.href_url.query_params_decoded["login"],
any(recipients.to,
.email.local_part != .. and .email.email != ..
)
)
)
and (
(
not profile.by_sender().solicited
and profile.by_sender().prevalence == "new"
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or not headers.auth_summary.dmarc.pass
)
tags:
- "Attack surface reduction"
attack_types:
- "Spam"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "e182b6b2-6980-5729-b9a5-221867b5093b"