[Snort-sigs] Outlook phishing pattern

Y M snort at outlook.com
Mon Jun 11 15:18:56 EDT 2018


This one has been making rounds lately. With google foo several websites seem to carry the same pattern. Pcap is available.

Please let me know if the preference to submit to the list as one email to reduce the noise.

# --------------------
# Date: 2018-06-09
# Title: Outlook Phishing Login Page - Pattern
# Tests: pcap, google foo
# Reference: Research
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SPAM Outlook phishing suspicious login page requested"; flow:to_server,established; content:"GET"; http_method; content:"?cmd=login_submit"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&session="; http_uri; metadata:ruleset community, service http; reference:url,www.hybrid-analysis.com/sample/af7c94a09025e72b4f67418577f96b671dff23dba6c87a70d11673b7f4f5b4ef/5b1af9b67ca3e15b99388eb3; classtype:suspicious-login; sid:8000110; rev:1;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180611/b510415b/attachment-0001.html>

More information about the Snort-sigs mailing list