""ET INFO Suspected Phishing Simulation Service Activity""

SID: 2040137

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2022_11_28, deployment Perimeter, deployment SSLDecrypt, signature_severity Informational, updated_at 2022_11_28

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

  • Value: "200"

  • Value: "action|3d 22 2e 2f|index.aspx?code="

  • Value: "id=|22|form1|22 3e|"

  • Value: "YOU'VE BEEN
    PHISHED!<|2f|span>"

  • Value: "Company-wide simulation|20|"

  • Value: "PLEASE DO NOT TELL YOUR
    CO-WORKERS ABOUT THIS
    PHISHING SIMULATION"

Within:

PCRE:

Special Options:

  • http_stat_code

  • file_data

  • fast_pattern

source