alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Zoom.us Phish 2021-10-25"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://static.zoom.us"; bsize:22; fast_pattern; reference:md5,eb5994afdc8da491c862867784956a5b; classtype:credential-theft; sid:2034245; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, confidence High, signature_severity Critical, tag Phishing, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)