alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Microsoft Teams VBS Payload Inbound"; flow:established,to_client; http.response_body; content:"|3c|script|20|language|3d 22|VBScript|22 3e|"; content:"|2d|NoProfile|20 2d|WindowStyle|20|Hidden"; content:"start|2d|process|20 27|https|3a 2f 2f|azure|2e|microsoft|2e|com"; fast_pattern; content:"DownloadString"; content:"|23|URL|3a 20|https|3a 2f 2f|teams|2e|microsoft|2e|com"; reference:url,github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-22-IOCs-for-malware-from-fake-Microsoft-Teams-site.txt; classtype:command-and-control; sid:2059608; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2025_01_23, deployment Perimeter, confidence High, signature_severity Major, updated_at 2025_01_23; target:src_ip;)