ET PHISHING BULLSreCaptcha Credential Phish Landing Page M1 2024-10-17
Sourceet/open
CreatedOctober 17, 2024
UpdatedNovember 6, 2024
Classificationcredential-theft
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING BULLSreCaptcha Credential Phish Landing Page M1 2024-10-17"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; bsize:1000<>2000; content:"google.com/recaptcha/api.js"; nocase; content:"<form"; distance:0; nocase; content:"</form>"; distance:0; nocase; content:".php"; distance:0; nocase; content:"|24 2e|ajax"; distance:0; nocase; content:"post"; distance:0; nocase; content:".success.toString()"; distance:0; nocase; content:".redirect.toString()"; distance:0; nocase; content:"window.location.reload()"; distance:0; nocase; content:"window.location.replace(red)"; distance:0; fast_pattern; nocase; reference:url,ic3.gov/Media/Y2024/PSA240412; reference:url,urlscan.io/responses/40b09b41500c93bfbdc2d27b58cef9b61633dd2b457aac93b21dd2dcc8f332ba/; reference:url,tria.ge/241017-h6nrjs1aqq/behavioral1; classtype:credential-theft; sid:2057273; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_10_17, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Phishing, updated_at 2024_11_06, former_sid 2858711, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
References
Metadata
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!