alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING UEFA 2024 Tickets/Hospitality Landing Page"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"<title>Tickets/Hospitality|20 7c 20|UEFA|20|EURO|20|2024|20 7c|"; content:"|3a|root|7b|--sf-img-"; fast_pattern; content:"data|3a|image/avif|3b|base64,"; within:500; classtype:credential-theft; sid:2054252; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_07_04, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing; target:dest_ip;)