alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Chase Phishing Landing 2016-03-23"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"document.write"; pcre:"/^\s*?\(\s*?unescape\s*?\(/Rsi"; content:"|25 32 45 25 36 33 25 36 38 25 36 31 25 37 33 25 36 35 25 32 45 25 36 33 25 36 46 25 36 44|"; fast_pattern; classtype:social-engineering; sid:2032375; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, confidence High, signature_severity Major, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)