alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USPS Credential Phish Landing Page M1 2023-04-28"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|noscript|3e 3c|meta|20|http|2d|equiv|3d 22|Refresh|22 20|content|3d 22|5|3b|URL|3d|https|3a 2f 2f|www|2e|enable|2d|javascript|2e|com|2f 22 3e 3c 2f|noscript|3e|"; content:"<title>HTML Document</title>"; distance:0; content:"window|2e|location|2e|href|20 3d 20 22|index123|2e|php|3f|t|3d|"; distance:0; fast_pattern; content:"('vendor/vendor."; distance:0; content:".then(() => {"; distance:0; classtype:credential-theft; sid:2045245; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_28, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_28;)