alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"data-title=|22|Need a new Password?|22|>"; fast_pattern; nocase; content:"We|27|ll contact your admin to reset the password for|3a|"; nocase; distance:0; content:"We notified your admin to reset your password."; nocase; distance:0; content:"Now you'll need to wait until they do"; nocase; distance:0; content:"(or go ask them nicely, yourself)."; nocase; distance:0; content:"Once your admin resets your password"; nocase; distance:0; content:"you should receive an email with steps to login."; nocase; distance:0; classtype:social-engineering; sid:2031690; rev:5; metadata:created_at 2015_11_05, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_17;)