alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-10-07"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^s?\x3a\/\/[^\/]*(?:goo(?:gle(?:\.(?:c(?:om\.[en]g|a)|r[ou])|apps\.com)|\.gl)|c(?:iovaccocapital\.com|entrin\.net\.id|artasi\.it)|s(?:(?:antander\.com\.b|fr\.f)r|tandardbank\.co\.za)|(?:aliexpress|vanguard|tdbank|ibm)\.com|e(?:xperienceasb\.co\.nz|im\.ae)|n(?:(?:avy)?fcu\.org|wolb\.com)|unicredit\.it|mbna\.co\.uk|oney\.fr|zkb\.ch)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032706; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, deprecation_reason Performance, performance_impact Significant, confidence Medium, signature_severity Critical, tag Phishing, updated_at 2024_04_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)