From 6a9bb3606bb8371ff799dc95cfca49277d2a3cfe Mon Sep 17 00:00:00 2001
From: twesterhever <40121680+twesterhever@users.noreply.github.com>
Date: Fri, 2 Jun 2023 10:02:19 +0000
Subject: [PATCH] [Minor] Improve HACKED_WP_PHISHING coverage

---
 conf/composites.conf              | 2 +-
 conf/scores.d/phishing_group.conf | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/conf/composites.conf b/conf/composites.conf
index 19a2187e6..efb287207 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -66,7 +66,7 @@ composites {
     policy = "remove_weight";
   }
   HACKED_WP_PHISHING {
-    expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
+    expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
     description = "Phish message sent by hacked Wordpress instance";
     policy = "leave";
   }
diff --git a/conf/scores.d/phishing_group.conf b/conf/scores.d/phishing_group.conf
index 5ee7374a1..24d0ad596 100644
--- a/conf/scores.d/phishing_group.conf
+++ b/conf/scores.d/phishing_group.conf
@@ -35,7 +35,7 @@ symbols = {
     }
     HACKED_WP_PHISHING {
         weight = 4.5;
-        description = "Phishing message from hacked wordpress";
+        description = "Phish message sent by hacked Wordpress instance";
     }
     REDIRECTOR_FALSE {
         weight = 0.0;
@@ -50,4 +50,4 @@ symbols = {
         weight = 0.0;
         description = "Phishing exclusion symbol for known exceptions";
     }
-}
\ No newline at end of file
+}
-- 
2.39.5