""ET POLICY [@Silv0123] Possible Fake Microsoft Office User-Agent Observed""
SID: 2033960
Revision: 4
Class Type: bad-unknown
Metadata: created_at 2021_09_16, updated_at 2021_10_25
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "User-Agent|3a 20|Microsoft Office"
-
Value: !"2014|0d 0a|"
-
Value: !"Discovery|0d 0a|"
-
Value: !"OneNote|0d 0a|"
Within:
PCRE: "/^User-Agent\x3a\x20Microsoft\x20Office[^\x3b\x2f\x28]+(\r\n)?$/Hmi"
Special Options:
-
http_header
-
http_header
-
http_header
-
http_header