- This rule detects a specific sequence of java-script that is designed to obfuscate the content it displays.
- It is not unheard of, but rare that there are legitimate reasons to do this.
Is this a False Positive:
- URL leading to this landing page (this is a sketchy advertising network, try it a bunch of times and it will eventually land on the below content):
- This is a valid detection. See below for the page that is rendered
- Alarm on phish attempt.
- Verify no additional IDS, Netflow, Log entries related on same asset. If there are, additional investigation required.