alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING VigLink Redirect To HiYu Phishing Landing Page"; flow:established,to_server; http.host; content:"redirect.viglink.com"; fast_pattern; http.uri; content:"/?"; startswith; content:"&u=_"; distance:20; within:4; content:".xn--"; distance:10; within:5; content:".xn--"; distance:0; content:"&drKey=1"; endswith; pcre:"/^\/\?[a-z]{20}&u=_[a-z]{10}\.xn--[a-z0-9]+\.xn--/"; reference:url,en.wikipedia.org/wiki/VigLink; reference:url,urlscan.io/result/26b88d69-0fea-4c63-9f29-3c53350c098e/; classtype:social-engineering; sid:2044289; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_02_22, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_02_24; target:src_ip;)