sublime-security · morriscode · Jan 29, 2025 · Jan 2, 2025 · Jan 2, 2025 · Jan 2, 2025
@@ -0,0 +1,63 @@
+name: "Suspected WordPress abuse with Cross-Site Scripting (XSS) indicators"
+description: "Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and sender.email.local_part == "wordpress"
+  and (
+    regex.icontains(body.current_thread.text,
+                    'document\.createElement.{0,9}script'
+    )
+    or 2 of (
+      strings.icount(subject.subject, "script") > 1,
+      strings.count(subject.subject, '%') >= 4,
+      strings.count(subject.subject, '\') >= 3,
+      strings.count(subject.subject, "/") >= 3,
+      strings.icontains(subject.subject, "xss"),
+      strings.contains(subject.subject, "CharCode"),
+      strings.contains(subject.subject, 'onload'),
+      strings.contains(subject.subject, 'fetch('),
+      strings.contains(subject.subject, "OnFocus="),
+      strings.contains(subject.subject, 'javascript:fetch'),
+      strings.icontains(subject.subject, "src="),
+      strings.icontains(subject.subject, "iframe"),
+      strings.icontains(subject.subject, "embed"),
+      strings.icontains(subject.subject, "object"),
+      strings.icontains(subject.subject, "onerror"),
+      strings.icontains(subject.subject, "onclick"),
+      strings.icontains(subject.subject, "onmouseover"),
+      strings.icontains(subject.subject, "onmouseout"),
+      strings.icontains(subject.subject, "onkeydown"),
+      strings.icontains(subject.subject, "onkeypress"),
+      strings.icontains(subject.subject, "onkeyup"),
+      strings.icontains(subject.subject, "onchange"),
+      strings.icontains(subject.subject, "oninput"),
+      strings.icontains(subject.subject, "onsubmit"),
+      regex.icontains(subject.subject, 'eval\b'),
+      strings.icontains(subject.subject, "alert"),
+      strings.icontains(subject.subject, "document.cookie"),
+      strings.icontains(subject.subject, "document.write"),
+      strings.icontains(subject.subject, "window.location"),
+      strings.icontains(subject.subject, "setTimeout"),
+      strings.icontains(subject.subject, "setInterval"),
+      strings.icontains(subject.subject, "atob"),
+      strings.icontains(subject.subject, "innerHTML"),
+      strings.icontains(subject.subject, "outerHTML"),
+      strings.icontains(subject.subject, "XMLHttpRequest"),
+      regex.icontains(subject.subject, 'import\b'),
+      strings.icontains(subject.subject, "execCommand")
+    )
+  )
+
+attack_types:
+  - "Malware/Ransomware"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Scripting"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "9c21225b-2dcf-5f72-b061-1c847129c319"