alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Device Code Phishing Landing Page 2026-06-17"; flow:established,to_client; flowbits:set,ET.DeviceCodePhish; http.content_len; byte_test:0,<=,13000,0,string,dec; http.stat_code; content:"200"; http.response_body; content:"<title>microsoft verification</title>"; fast_pattern; nocase; content:"copy code"; nocase; content:"verify the code"; nocase; content:"login.microsoft.com/device"; nocase; content:"navigator.clipboard"; nocase; content:"document.execcommand("; nocase; classtype:social-engineering; sid:2069999; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_06_18, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Phishing, tag DeviceCodePhish, updated_at 2026_06_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)