[Snort-sigs] Outlook phishing pattern
johlevy at sourcefire.com
Tue Jun 12 11:47:20 EDT 2018
Thanks for these submissions. We will review them and get back to you when
finished. Do you mind sending over the pcaps you have available for the
most recent submissions? Thanks again!
Sending the submissions in as one email will work as long as there is a
clear delimiter between each one in the email.
On Mon, Jun 11, 2018 at 3:18 PM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:
> This one has been making rounds lately. With google foo several websites
> seem to carry the same pattern. Pcap is available.
> Please let me know if the preference to submit to the list as one email to
> reduce the noise.
> # --------------------
> # Date: 2018-06-09
> # Title: Outlook Phishing Login Page - Pattern
> # Tests: pcap, google foo
> # Reference: Research
> # Confidence: medium
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SPAM
> Outlook phishing suspicious login page requested";
> flow:to_server,established; content:"GET"; http_method;
> content:"?cmd=login_submit"; fast_pattern:only; http_uri; content:"&id=";
> http_uri; content:"&session="; http_uri; metadata:ruleset community,
> service http; reference:url,www.hybrid-analysis.com/sample/
> b4ef/5b1af9b67ca3e15b99388eb3; classtype:suspicious-login; sid:8000110;
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
> Please follow these rules: https://snort.org/faq/what-is-
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs