""ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017""

SID: 2024015

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, signature_severity Critical, tag Phishing, updated_at 2017_02_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

• Value: "POST"

• Value: "/signin"

• Value: "/signin|0d 0a|"

• Value: "_token=" Depth: 7

• Value: "&email="

• Value: "|25|40"

• Value: "&pass"

Within:

PCRE:

Special Options:

• http_method

• http_header

• fast_pattern

• nocase

• http_client_body

• nocase

• http_client_body

• nocase

• http_client_body

• nocase

• http_client_body

source