Snort mailing list archives
Outlook phishing pattern
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 11 Jun 2018 19:18:56 +0000
Hi, This one has been making rounds lately. With google foo several websites seem to carry the same pattern. Pcap is available. Please let me know if the preference to submit to the list as one email to reduce the noise. # -------------------- # Date: 2018-06-09 # Title: Outlook Phishing Login Page - Pattern # Tests: pcap, google foo # Reference: Research # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SPAM Outlook phishing suspicious login page requested"; flow:to_server,established; content:"GET"; http_method; content:"?cmd=login_submit"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&session="; http_uri; metadata:ruleset community, service http; reference:url,www.hybrid-analysis.com/sample/af7c94a09025e72b4f67418577f96b671dff23dba6c87a70d11673b7f4f5b4ef/5b1af9b67ca3e15b99388eb3; classtype:suspicious-login; sid:8000110; rev:1;) Thanks YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Outlook phishing pattern Y M via Snort-sigs (Jun 11)
- Re: Outlook phishing pattern John Levy (Jun 12)