alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"// stop for sometime if needed"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019541; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2019_07_26;)