Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-02-25"; http.stat_code; content:"200"; file.data; content:"|3c|script|20|type|3d 22|text|2f|javascript|22 3e|"; nocase; content:"window.location.hash"; nocase; distance:100; content:".substring"; nocase; distance:500; content:".split"; nocase; distance:200; content:"let|20|email|20 3d 20|window|2e|atob"; fast_pattern; nocase; distance:500; content:"window.atob"; nocase; distance:200; content:"window.location"; nocase; distance:200; content:".substring"; nocase; distance:500; content:"+email"; nocase; distance:500; content:"window.location"; nocase; distance:100; content:"</script>"; nocase; distance:100; classtype:credential-theft; sid:2035294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_24;)