alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-08-19"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:s(?:ocietegenerale\.com|parkasse\.at|ina\.com\.cn|wisscom\.ch|ec\.gov)|b(?:bva(?:compass\.com|\.com\.co)|anque-accord\.fr|mo\.com)|g(?:o(?:(?:ogle\.co|v)\.uk|daddy\.com)|mail\.com)|(?:z(?:illow|oosk)|images\.kw|office365)\.com|t(?:el(?:stra\.com\.au|ekom\.com)|-online\.de)|c(?:reditmutuel\.fr|panel\.net|iti\.com)|(?:(?:realestate|nab)\.com\.a|unc\.ed)u|d(?:esjardins\.c(?:om|a)|iscover\.com)|e(?:arthlink\.net|ftel\.com\.au|bay\.de)|a(?:bl\.com\.pk|liyun\.com|nz\.co\.nz)|w(?:estpac\.com\.au|ikimedia\.org)|v(?:isaeurope\.ch|erizon\.net)|h(?:blibank\.com\.pk|sbc\.com)|paypal\.co\.uk)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032689; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, deprecation_reason Performance, performance_impact Significant, confidence Medium, signature_severity Critical, tag Phishing, updated_at 2024_04_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)