""ET ACTIVEX Possible Sparkasse Phishing Domain 2021-04-05""

SID: 2032469

Revision: 3

Class Type: attempted-admin

Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2023_04_04

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

  • Value: "GET"

  • Value: "sparkasse.de"

Within:

PCRE: "/^Host\x3a\x20[^\r\n]+sparkasse.de/Hmi"

Special Options:

  • http_method

  • fast_pattern

  • http_header

source