Detection rules › Sublime MQL
Link: WordPress login page with Blogspot Binance scam
Detects messages containing WordPress login links (/wp-login.php) combined with Blogspot domains and Binance cryptocurrency scam language patterns in the body text.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, BEC/Fraud |
| Tactics and techniques | Social engineering, Free subdomain host, Impersonation: Brand |
Event coverage
| Message attribute |
|---|
| body |
| body.current_thread |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
and any(body.links, .display_url.path == '/wp-login.php')
and regex.icontains(body.current_thread.text,
'[a-z]{5,10}\.blogspot\.[a-z.]{2,6}\s*-\s*\d[\d\s]*\s*(USD|EURO?)\s*BINANCE'
)
Detection logic
Scope: inbound message.
Detects messages containing WordPress login links (/wp-login.php) combined with Blogspot domains and Binance cryptocurrency scam language patterns in the body text.
- inbound message
any of
body.linkswhere:- .display_url.path is '/wp-login.php'
- body.current_thread.text matches '[a-z]{5,10}\\.blogspot\\.[a-z.]{2,6}\\s*-\\s*\\d[\\d\\s]*\\s*(USD|EURO?)\\s*BINANCE'
Inspects: body.current_thread.text, body.links, body.links[].display_url.path, type.inbound. Sensors: regex.icontains.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
body.links[].display_url.path | equals | /wp-login.php |
regex.icontains | regex | [a-z]{5,10}\.blogspot\.[a-z.]{2,6}\s*-\s*\d[\d\s]*\s*(USD|EURO?)\s*BINANCE |