Outlook phishing pattern

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Hi,

This one has been making rounds lately. With google foo several websites seem to carry the same pattern. Pcap is 
available.

Please let me know if the preference to submit to the list as one email to reduce the noise.

# --------------------
# Date: 2018-06-09
# Title: Outlook Phishing Login Page - Pattern
# Tests: pcap, google foo
# Reference: Research
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SPAM Outlook phishing suspicious login page 
requested"; flow:to_server,established; content:"GET"; http_method; content:"?cmd=login_submit"; fast_pattern:only; 
http_uri; content:"&id="; http_uri; content:"&session="; http_uri; metadata:ruleset community, service http; 
reference:url,www.hybrid-analysis.com/sample/af7c94a09025e72b4f67418577f96b671dff23dba6c87a70d11673b7f4f5b4ef/5b1af9b67ca3e15b99388eb3;
 classtype:suspicious-login; sid:8000110; rev:1;)

Thanks
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!