""ET CURRENT_EVENTS Possible Successful Generic Phish 2016-08-19""

SID: 2032689

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: to_client,established

Contents:

• Value: "302"

• Value: "Content-Type|3a 20|text/html"

• Value: "Location|3a 20|http"

• Value: "Location|3a 20|http"

Within:

PCRE: "/^(?:s)?\x3a\/\/[^\/]*(?:s(?:ocietegenerale.com|parkasse.at|ina.com.cn|wisscom.ch|ec.gov)|b(?:bva(?:compass.com|.com.co)|anque-accord.fr|mo.com)|g(?:o(?:(?:ogle.co|v).uk|daddy.com)|mail.com)|(?:z(?:illow|oosk)|images.kw|office365).com|t(?:el(?:stra.com.au|ekom.com)|-online.de)|c(?:reditmutuel.fr|panel.net|iti.com)|(?:(?:realestate|nab).com.a|unc.ed)u|d(?:esjardins.c(?:om|a)|iscover.com)|e(?:arthlink.net|ftel.com.au|bay.de)|a(?:bl.com.pk|liyun.com|nz.co.nz)|w(?:estpac.com.au|ikimedia.org)|v(?:isaeurope.ch|erizon.net)|h(?:blibank.com.pk|sbc.com)|paypal.co.uk)\/?/Ri"

Special Options:

• http_stat_code

• http_header

• nocase

• fast_pattern

• http_header

source