alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Set-Cookie"; flow:established,to_client; content:"Server|3a 20|nginx/"; content:"|0d 0a|Set-Cookie|3a 20|"; content:"=|22 22 3b 20|Domain="; distance:0; content:"|3b 20|expires=Thu, 01 Jan 1970 00:00:00 GMT|3b 3b 20|Path=/|0d 0a|"; fast_pattern; distance:0; pcre:"/Set-Cookie\x3a\x20[a-z0-9]{4}=\x22\x22\x3b/i"; classtype:social-engineering; sid:2037848; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, deprecation_reason Age, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_12_02, reviewed_at 2024_12_02;)