Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Jimdo Outlook Web App Phishing Nov 16 2105"; flow:to_server,established; content:"POST"; http_method; content:"|2f 66 6f 72 6d 2f 73 75  62 6d 69 74 2f|"; http_uri; content:"|6a 69 6d 64 6f 2e 63 6f 6d 0d 0a|"; http_header; fast_pattern; content:"|6d 6f 64 75 6c 65 49 64 3d|"; nocase; http_client_body; depth:9; content:"|26 64 61 74 61 3b 3d|"; nocase; distance:0; http_client_body; content:"|45 6d 61 69 6c|"; nocase; distance:0; http_client_body; content:"|50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; content:"|43 6f 6e 66 69 72 6d 2b  50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; pcre:"/\/form\/submit\/$/U"; classtype:credential-theft; sid:2022094; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2019_07_26;)