alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Follina Payload Delivery Page"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c 21|doctype html|3e 0d 0a 3c|"; depth:18; content:"|3e 0d 0a 3c|head|3e 0d 0a 3c|title|3e 0d 0a|Good thing we disabled macros|0d 0a 3c 2f|title|3e 0d 0a 3c 2f|head|3e 0d 0a|"; within:85; fast_pattern; reference:md5,783f850d06c9f1286eb9b1bda0af0bce; reference:cve,2022-30190; classtype:trojan-activity; sid:2037082; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_06_22, cve CVE_2022_30190, deployment Perimeter, deployment SSLDecrypt, former_category ACTIVEX, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_09, reviewed_at 2023_10_16;)