Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Evilginx Activity (Favicon Query)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:46; content:"/s2/favicons?domain=organizationname.tld&sz=64"; fast_pattern; http.host; content:"www.google.com"; reference:url,github.com/kgretzky/evilginx2; classtype:bad-unknown; sid:2060571; rev:2; metadata:attack_target Client_Endpoint, created_at 2025_03_03, deployment Perimeter, confidence Low, signature_severity Major, tag Phishing, tag Evilginx, updated_at 2025_03_08;)