""ET CURRENT_EVENTS Microsoft Credential Phish 2022-03-14""
SID: 2035453
Revision: 1
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_04, deployment Perimeter, signature_severity Major, updated_at 2022_03_04
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "200"
-
Value: "username|3a 20|this|2e|email"
-
Value: "password|3a 20|this|2e|password"
-
Value: "from|3a 20 22|Microsoft|20|Login|22|"
-
Value: "this|2e|error|20 3d 20 22|An|20|error|20|occured|2c 20|please|20|check|20|input|20|and|20|try|20|again|22 3b|"
-
Value: "this|2e|submitCount"
-
Value: "window|2e|location|2e|replace|28|"
Within:
PCRE:
Special Options:
-
http_stat_code
-
file_data