alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion JavaScript Response M1"; flow:established,to_client; http.content_type; content:"/javascript"; file.data; content:"eval|28|function|28 24|nbrut|2c|"; startswith; content:"function|28 24|charCode|29 20 7b|return|20 28 24|charCode|20|"; distance:0; content:"|3f 20|String|2e|fromCharCode|28|"; within:150; content:"|29 20 3a 20 24|charCode|2e|toString|28|"; within:50; content:"|2e|replace|28|new|20|RegExp|28 27 5c 5c|b|27 20 2b|"; distance:0; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033037; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_05_28;)