alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Office 365 Cred Phish (2024-09-25)"; flow:established,to_client; http.response_body; content:"|25|3E|25|42|25|65|25|63|25|61|25|75|25|73|25|65|25|20|25|79|25|6F|25|75|25|27|25|72|25|65|25|20|25|61|25|63|25|63|25|65|25|73|25|73|25|69|25|6E|25|67|25|20|25|73|25|65|25|6E|25|73|25|69|25|74|25|69|25|76|25|65|25|20|25|69|25|6E|25|66|25|6F|25|2C|25|20|25|79|25|6F|25|75|25|20|25|6E|25|65|25|65|25|64|25|20|25|74|25|6F|25|20|25|76|25|65|25|72|25|69|25|66|25|79|25|20|25|79|25|6F|25|75|25|72|25|20|25|70|25|61|25|73|25|73|25|77|25|6F|25|72|25|64|25|3C|25|2F|25|64|25|69|25|76|25|3E"; reference:md5,8ae4c874e83ea873af4a9d1021374a33; classtype:trojan-activity; sid:2056178; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_09_25, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Phish, updated_at 2024_09_25;)