Rule History

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; flow:established,to_server; tls.sni; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026487; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, confidence Medium, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)