""ET CURRENT_EVENTS Mailgun Phishing Landing""
SID: 2030943
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_02
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: to_client,established
Contents:
-
Value: "
Log In to Mailgun"</p> </li> <li> <p>Value: "function checkUsername()"</p> </li> <li> <p>Value: "function checkPassword()"</p> </li> <li> <p>Value: ".php|22|,"</p> </li> <li> <p>Value: "type|3a 20 22|POST|22|,"</p> </li> <li> <p>Value: "data|3a 20|{username|3a 20|$('#username').val(),password|3a|$('#password').val()"</p> </li> </ul> <p><strong>Within:</strong> </p> <p><strong>PCRE:</strong> </p> <p><strong>Special Options:</strong></p> <ul> <li> <p>file_data</p> </li> <li> <p>nocase</p> </li> <li> <p>nocase</p> </li> <li> <p>nocase</p> </li> <li> <p>nocase</p> </li> <li> <p>nocase</p> </li> <li> <p>fast_pattern</p> </li> <li> <p>nocase</p> </li> </ul> <p><a href="https://github.com/magicsword-io/Magic-SigExplorer/tree/main/yaml/et/et_rule_2030943.yaml"><em>source</em></a></p> </div> </div><footer> <hr/> <div role="contentinfo"> <!-- Copyright etc --> </div> Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. </footer> </div> </div> </section> </div> <div class="rst-versions" role="note" aria-label="Versions"> <span class="rst-current-version" data-toggle="rst-current-version"> </span> </div> <script src="../../../js/jquery-3.6.0.min.js"></script> <script>var base_url = "../../..";</script> <script src="../../../js/theme_extra.js"></script> <script src="../../../js/theme.js"></script> <script src="../../../search/main.js"></script> <script> jQuery(function () { SphinxRtdTheme.Navigation.enable(true); }); </script> </body> </html>