alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Device Code Landing Page 2026-04-07"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; http.response_body; content:"|3c|div|20|id|3d 22|"; content:"|22 3e 3c 2f|div|3e|"; within:15; content:"<script>async function"; distance:0; content:"return Uint8Array.from(atob(s),x=>x.charCodeAt(0))"; fast_pattern; distance:0; content:"await crypto.subtle.importKey"; distance:0; content:"await crypto.subtle.decrypt("; distance:0; content:"name|3a 22|AES|2d|GCM|22|"; distance:0; content:"document.write(new TextDecoder().decode("; distance:0; content:"document|2e|body|2e|innerHTML|3d 22|Loading|20|failed|22|"; distance:0; reference:url,blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/; classtype:social-engineering; sid:2068628; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_04_07, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag DeviceCodePhish, updated_at 2026_04_08;)