High Severity

Link: Credential phishing via WordPress

Labels

Credential Phishing

Social engineering

Description

Detects when non-WordPress senders link to suspended or malicious WordPress blog sites, commonly used to redirect users to credential harvesting pages.

References

No references.

Sublime Security

Created Apr 11th, 2025 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.domain.root_domain != "wordpress.com"
// there are few links
and 0 < length(body.links) <= 5
// there are wordpress links
and any(body.links,
        .href_url.domain.root_domain == "wordpress.com"
        and .href_url.domain.domain != "wordpress.com"
)
// a single link to wordpress site
and length(filter(body.links,
                  .href_url.domain.root_domain == "wordpress.com"
                  and .href_url.domain.domain != "wordpress.com"
           )
) == 1

// not a reply
and length(headers.references) == 0
and headers.in_reply_to is null

// we detect the wordpress page has phishing
and any(filter(body.links, .href_url.domain.root_domain == "wordpress.com"),
        ml.link_analysis(.).credphish.disposition == "phishing"
        or strings.icontains(ml.link_analysis(.).final_dom.display_text,
                             'This blog has been archived or suspended in accordance with our Terms of Service'
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.