This detection rule targets unsolicited WordPress account creation or password reset requests that may be indicative of spam or malicious attempts. The rule inspects inbound messages for WordPress password reset links, specifically checking that the 'login' parameter does not match the recipient's email address. It is structured to activate under several conditions: if the sender is unsolicited, previously known to have sent malicious messages, or if DMARC authentication fails. It performs checks on the message body to ensure it is HTML and looks for links that point to the WordPress login page. The query parameters, especially 'key' and 'login', are then examined against the recipient list to validate their authenticity. This rule is crucial for mitigating social engineering attacks that exploit WordPress systems, thereby reducing the attack surface for users.