From 324cdb828977370fdaa088d848a4f798655c7d15 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Sun, 10 Mar 2024 20:01:20 +0000 Subject: [PATCH] Create webmail-27971b3a.yml (#243) * Create fake-webmail-page.yml * Update and rename fake-webmail-page.yml to webmail-27971b3a.yml --------- Co-authored-by: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> --- indicators/webmail-27971b3a.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 indicators/webmail-27971b3a.yml diff --git a/indicators/webmail-27971b3a.yml b/indicators/webmail-27971b3a.yml new file mode 100644 index 0000000..c2f659d --- /dev/null +++ b/indicators/webmail-27971b3a.yml @@ -0,0 +1,19 @@ +title: Webmail Phishing 27971b3a +description: | + Detects a phishing kit impersonating Webmail. + +references: + - https://urlscan.io/result/27971b3a-f9f4-44ea-9df6-b3af1e386048/ + - https://urlscan.io/search/#filename%3A%22evergageSmall.min.js.download%22 + +detection: + + imageAssets: + requests|endswith|all: + - "/images/logo_1.png" + - "/images/logo_2.png" + + randomString: + html|contains: 'bis_register="W3sibWFzdGVyIjp0cnVlLCJleHRlbnNpb25JZCI6ImVwcGlvY2VtaG1ubGJoanBsY2drb2ZjaWllZ29tY29uIiwiYWRibG9ja2VyU3RhdHVzIjp7IkRJU1BMQVkiOiJlbmFibGVkIiwiRkFDRUJPT0siOiJlbmFibGVkIiwiVFdJVFRFUiI6ImVuYWJsZWQiLCJSRURESVQiOiJkaXNhYmxlZCJ9LCJ2ZXJzaW9uIjoiMS45LjAzIiwic2NvcmUiOjEwOTAzMH1d"' + + condition: imageAssets and randomString