Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Ferest Smuggler Request M2"; flow:established,to_server; http.uri; content:"?"; content:"&pid="; distance:64; within:5; content:"&encoding"; distance:64; within:9; content:"="; distance:32; within:1; content:"&username="; distance:64; within:10; content:"&unsubscribe="; distance:0; content:"&pathOWA="; distance:32; within:9; content:"-mail"; endswith; distance:32; within:5; fast_pattern; pcre:"/\?(?P<variable>[a-f0-9]{32})(?P=variable)\&pid=(?P=variable){2}&encoding(?P=variable)=(?P=variable){2}&username=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}={2})\&unsubscribe=(?P=variable)\&pathOWA=(?P=variable)-mail$/"; reference:url,medium.com/@thrunter/cyberuptive-identifies-and-disrupts-ferest-smuggler-a-mass-credential-harvesting-campaign-22875c563854; classtype:credential-theft; sid:2047706; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2023_08_23, deployment Perimeter, deployment SSLDecrypt, malware_family Ferest_Smuggler, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_23, reviewed_at 2023_08_23; target:src_ip;)