Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nedbank Phishing Landing Page 2022-06-22"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:"Access-Control-Allow-Origin"; content:"Access-Control-Allow-Methods"; content:"Access-Control-Allow-Headers"; http.response_body; content:"|3c 21|DOCTYPE html|3e 0d 0a 3c 21 2d 2d 20|saved from url|3d 28|0042|29|https|3a 2f 2f|secured|2e|nedbank|2e|co|2e|za|2f 20 2d 2d 3e|"; startswith; fast_pattern; content:"|3c 21 2d 2d 20|base|20|href|3d 22|https|3a 2f 2f|secured|2e|nedbank|2e|co|2e|za|2f 22 20 2d 2d 3e|"; distance:0; reference:md5,fea7f8afb1702315f20a90968dc8c191; classtype:trojan-activity; sid:2037101; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_23, reviewed_at 2025_01_06;)