alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Javascript from Generic Phishkit"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var|20|"; startswith; pcre:"/^(?P<arrayName>[a-z]{1,50})\x20\x3d\x20new\x20Array\x3b\x0a((?P=arrayName)\x5b){1,50}/R"; content:"for(i=0|3b|"; distance:0; content:"Math.pow("; distance:0; content:"String.fromCharCode(Math.floor("; distance:0; fast_pattern; content:"document.write("; distance:0; content:")|3b|"; endswith; reference:url,trendmicro.com/en_us/research/23/k/threat-actors-leverage-file-sharing-service-and-reverse-proxies.html; reference:url,obsidiansecurity.com/blog/detecting-aitm-phishing-sites-with-fuzzy-hashing/; classtype:credential-theft; sid:2049692; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_12_14, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_07, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)