Medium Severity

Link: Suspicious wp-admin path from mismatched sender domain

Description

Detects inbound messages containing links that point to a WordPress admin path (single directory under /wp-admin/ with no subdirectories or file extensions) where the link domain does not match the sender's domain. This mismatch, combined with the use of a sensitive admin path, is indicative of malicious activity. Messages from high-trust senders and known web security services passing DMARC are excluded.

References

No references.

Sublime Security
Created Jun 29th, 2026 • Last updated Jun 29th, 2026
Source
type.inbound
// single file/directory under wp-admin which doesn't contain a .
and any(body.links,
        regex.icontains(.href_url.path, '^/wp-admin/[^/\.]+/?$')
        // domain is not the same as the sender domain
        and .href_url.domain.root_domain != sender.email.domain.root_domain
)
and not (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    // website security companies that send reports via email
    or sender.email.domain.root_domain in ('imperva.com', 'urllo.com')
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started