alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Zimbra zauthtoken Value Extraction Script Requested (Inbound)"; flow:established,to_client; http.content_type; content:"application/x-javascript"; startswith; file.data; content:"fetch|28 27|/public/authorize.jsp|27 29|"; content:"|63 6f 6e 73 74 20 6d 61 74 63 68 20 3d 20 64 61 74 61 2e 6d 61 74 63 68 28 2f 6e 61 6d 65 3d 22 7a 61 75 74 68 74 6f 6b 65 6e 22 20 76 61 6c 75 65 3d 22 28 5b 5e 22 5d 2b 29 22 2f 29 3b|"; fast_pattern; distance:0; content:"|2f 2f 20|Post the zauthtoken value to your PHP script"; distance:0; reference:url,twitter.com/__0XYC__/status/1753000391770317099; classtype:credential-theft; sid:2050658; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_02_01, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_01; target:dest_ip;)