EXPLORE
Sign In
← Back to Explore
sublimelowRule

Spam: Unsolicited WordPress account creation or password reset request

Detects messages containing WordPress password reset links where the login parameter does not match the recipient's email address. The rule triggers for unsolicited senders, previously malicious senders, or when DMARC authentication fails.

MITRE ATT&CK

T1566T1598
initial-access

Detection Query

type.inbound
and body.html.raw is null
and any(body.links,
        .href_url.path == "/wp-login.php"
        and any(.href_url.query_params_decoded["key"], . is not null)
        and any(.href_url.query_params_decoded["login"],
                any(recipients.to,
                    .email.local_part != .. and .email.email != ..
                )
        )
)
and (
  (
    not profile.by_sender().solicited
    and profile.by_sender().prevalence == "new"
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
  or not headers.auth_summary.dmarc.pass
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Spam: Unsolicited WordPress account creation or password reset request"
description: "Detects messages containing WordPress password reset links where the login parameter does not match the recipient's email address. The rule triggers for unsolicited senders, previously malicious senders, or when DMARC authentication fails."
type: "rule"
severity: "low"
source: |
  type.inbound
  and body.html.raw is null
  and any(body.links,
          .href_url.path == "/wp-login.php"
          and any(.href_url.query_params_decoded["key"], . is not null)
          and any(.href_url.query_params_decoded["login"],
                  any(recipients.to,
                      .email.local_part != .. and .email.email != ..
                  )
          )
  )
  and (
    (
      not profile.by_sender().solicited
      and profile.by_sender().prevalence == "new"
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
    or not headers.auth_summary.dmarc.pass
  )
tags:
 - "Attack surface reduction"
attack_types:
  - "Spam"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
  - "URL analysis"
id: "e182b6b2-6980-5729-b9a5-221867b5093b"