heroui logo

Link: Suspicious wp-admin path from mismatched sender domain

Sublime Rules

View Source
Summary
Detects inbound messages containing links that point to a WordPress admin path (a single directory under /wp-admin/ with no subdirectories or file extensions). The rule flags when the link domain’s root_domain differs from the sender’s domain root_domain, which is indicative of credential phishing or link-based impersonation. To reduce false positives, messages from high-trust senders and known web security services that pass DMARC are excluded. The detection relies on analyzing the URL path, comparing domains, and inspecting authentication headers. The rule targets evasion and social engineering tactics used in credential harvesting and spoofing attempts.
Categories
  • Web
Data Sources
  • Network Traffic
  • Domain Name
  • Application Log
Created: 2026-06-30