alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING EvilProxy AiTM Cookie Value M2"; flow:established,to_client; content:"Server|3a 20|nginx/"; content:"|0d 0a 0d 0a 7b 22|statusCode|22 3a 20 22|success|22 2c 20 22|cookieKey|22 3a 20 22|"; fast_pattern; content:"|22 2c 20 22|cookieDomain|22 3a 20 22|"; distance:4; within:21; content:"|22 2c 20 22|cookieValue|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x22\x7d$/R"; reference:url,boredhackerblog.info/2022/11/looking-for-evilproxy-notes.html; classtype:social-engineering; sid:2043332; rev:1; metadata:created_at 2023_01_17, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_01_17, reviewed_at 2025_10_24;)