ET PHISHING Suspected BULLSreCaptcha Credential Phish Landing Page M2 2024-10-17

SID: 2057274Rev: 18 views
Sourceet/open
CreatedOctober 17, 2024
UpdatedNovember 6, 2024
Classificationcredential-theft
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspected BULLSreCaptcha Credential Phish Landing Page M2 2024-10-17"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; bsize:1000<>5000; content:"google.com/recaptcha/api.js"; nocase; content:"<form"; distance:0; nocase; content:"</form>"; distance:0; nocase; content:".php"; distance:0; nocase; content:"|24 2e|ajax"; distance:0; nocase; content:"post"; distance:0; nocase; content:".success.toString()"; distance:0; nocase; content:".redirect.toString()"; distance:0; fast_pattern; nocase; content:"window.location.reload()"; distance:0; nocase; content:"window.location.replace("; distance:0; nocase; reference:url,ic3.gov/Media/Y2024/PSA240412; reference:url,urlscan.io/responses/40b09b41500c93bfbdc2d27b58cef9b61633dd2b457aac93b21dd2dcc8f332ba/; reference:url,tria.ge/241017-h6nrjs1aqq/behavioral1; classtype:credential-theft; sid:2057274; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_10_17, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Phishing, updated_at 2024_11_06, former_sid 2858712, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)

References

urlic3.gov/Media/Y2024/PSA240412
urlurlscan.io/responses/40b09b41500c93bfbdc2d27b58cef9b61633dd2b457aac93b21dd2dcc8f332ba/
urltria.ge/241017-h6nrjs1aqq/behavioral1

Metadata

attack targetClient_Endpoint
tls stateTLSDecrypt
created at2024_10_17
deploymentSSLDecrypt
confidenceMedium
signature severityMajor
tagPhishing
updated at2024_11_06
former sid2858712
mitre tactic idTA0001
mitre tactic nameInitial_Access
mitre technique idT1566
mitre technique namePhishing

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!