alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloudflare Captcha JS 2025-07-15"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"<html"; distance:0; content:"<head>"; distance:0; pcre:"/<title>[a-zA-Z]{3,20}<\x2ftitle>/i"; content:"<script src=\"https://challenges.cloudflare.com/turnstile/v0/api.js\"></script>"; distance:0; content:"</head>"; distance:0; content:"<body>"; distance:0; content:"<div class=\"container mt-5\">"; distance:0; content:"<div class=\"centered-content\">"; distance:0; content:"<div class=\"col-lg-5 text-center\">"; distance:0; content:"<div class=\"mt-2\">"; distance:0; content:"<form method=\"POST\">"; distance:0; content:"<span class=\"cf-turnstile\" data-sitekey="; distance:0; content:"</form>"; distance:0; content:"<div class=\"mt-2 text-muted\""; distance:0; content:"<script>"; distance:0; content:"function"; distance:0; content:"document.forms[0].submit()"; fast_pattern; distance:0; content:"</script>"; distance:0; content:"</body>"; distance:0; content:"</html>"; distance:0; reference:url,t7f4e9n3.delivery.rocketcdn.me/wp-content/uploads/2025/06/Sekoia_io___Global_analysis_of_Adversary_in_the_Middle_phishing_threats.pdf; classtype:social-engineering; sid:2063535; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_07_16, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag Phishing, tag ODx, tag Storm_1167, updated_at 2025_07_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)