This detection rule targets suspicious inbound messages emanating from compromised WordPress accounts, indicating potential cross-site scripting (XSS) attacks. The rule primarily focuses on analyzing the content of messages, specifically looking for patterns and keywords associated with script injection attempts. Key indicators include the presence of JavaScript-related keywords in message bodies and subjects. The rule leverages regex patterns and string counts to filter messages that may contain multiple signs of malicious behavior, such as the frequent presence of the term 'script', unusual use of special characters (like '%', '\', and '/'), and specific JavaScript attributes commonly exploited in XSS attacks (for example, 'onload', 'href', 'document.write'). This multi-faceted approach to detection helps in identifying both overt and subtle signs of XSS attacks targeting users via compromised WordPress sites, which can lead to malware deployment or credential phishing.