alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/x-javascript"; startswith; file.data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:social-engineering; sid:2022905; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, confidence Medium, signature_severity Critical, tag Phishing, updated_at 2024_03_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)