alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Google Cookie Token Manipulation Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth/multilogin"; startswith; http.host; content:"accounts.google.com"; bsize:19; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"Authorization|3a 20|MultiBearer|20|"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; content:!"Referer"; reference:url,www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking; reference:url,medium.com/@DeputyDog/breaking-through-the-infostealer-exploit-and-the-enigma-of-cookie-restoration-e03e6e3cda50; classtype:attempted-admin; sid:2049906; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_01_04, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_04; target:src_ip;)