alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING W3LL STORE Phish Kit Landing Page 2023-05-02"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>"; content:"W3LL"; nocase; distance:0; content:"</title>"; distance:0; content:"Register code above on store!"; distance:0; fast_pattern; reference:url,urlscan.io/result/99bafa3d-8bec-4f12-893d-2bd878c91d4b; classtype:credential-theft; sid:2045295; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_05_02, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_02;)