Data-Content attribute obfuscation

Detects an obfuscation technique found being used by a phishing kit where it appends the content of the parent tag into the data-content attribute with the data being encoded using ASCII values to evade static analysis.

References

https://urlscan.io/result/06f6d4f9-0bc6-4519-9ffb-96bd07212c29

IOK Rule (edit)

title: Data-Content attribute obfuscation

description: |
  Detects an obfuscation technique found being used
  by a phishing kit where it appends the content of
  the parent tag into the `data-content` attribute
  with the data being encoded using ASCII values to
  evade static analysis.
  
references:
  - https://urlscan.io/result/06f6d4f9-0bc6-4519-9ffb-96bd07212c29
  
detection:

    obfuscatedDataContentAttribute:
      html|re: 'data-content="([0-9]{2,3}).+"'

    condition: obfuscatedDataContentAttribute

tags:
  - anti-analysis