alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspected Phishing Simulation Service Activity"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"action|3d 22 2e 2f|index.aspx?code="; fast_pattern; content:"id=|22|form1|22 3e|"; distance:0; content:"YOU'VE BEEN <br |2f|>PHISHED!<|2f|span>"; distance:0; content:"Company-wide simulation|20|"; distance:0; content:"PLEASE DO NOT TELL YOUR <br |2f|>CO-WORKERS ABOUT THIS <br |2f|>PHISHING SIMULATION"; classtype:social-engineering; sid:2040137; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_11_28, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_11_28; target:dest_ip;)