alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Fake Google Meet Page"; flow:established,to_client; http.response_body; content:"|3c|title|3e|Google|20|Meet"; content:"GOOGLE|20|MEET|20|JOIN|20|PAGE"; fast_pattern; content:"people|20|expected|3c 2f|div|3e|"; reference:url,netskope.com/blog/attackers-weaponize-signed-rmm-tools-via-zoom-meet-teams-lures; classtype:trojan-activity; sid:2068410; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_03_24, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag compromised_website, updated_at 2026_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)