Versions (3)
Version DetailsCurrent
Rev: 1 • May 18, 2020, 12:00 PMET PHISHING Possible Successful Phish to NOIP DynDNS Domain
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to NOIP DynDNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030172; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, confidence Medium, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
May 18, 2020, 12:00 PM
May 18, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 21, 2024, 3:00 AM
rules/emerging-phishing.rules