alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Page 2021-05-18"; flow:established,from_server; http.header; content:"|0d 0a|Content-Type|3a 20|text/html"; file.data; content:"<html>"; startswith; content:"<title>Mail Verification</title><script src=|27|http|3a 2f 2f|"; content:!"google."; within:20; content:"/google_analytics_auto.js|27|></script>"; distance:0; within:100; content:"<form method=|22|post|22 20|action=|22|x3d.php|22|"; distance:0; fast_pattern; reference:url,app.any.run/tasks/654f09ca-352f-4d7a-a8eb-ce49c88b4f58/; classtype:credential-theft; sid:2033001; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, confidence Medium, signature_severity Critical, tag Phishing, updated_at 2021_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)