alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Antsword Related Webshell Activity (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ews/web/webconfig/"; http.header_names; content:!"Referer"; http.request_body; content:"|0d 0a|RPDbgEsJF9o8S=|0d 0a|"; fast_pattern; reference:url,www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; classtype:web-application-attack; sid:2039066; rev:1; metadata:attack_target Web_Server, created_at 2022_09_29, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_09_29;)