M&T Bank Phishing Kit 6b1866b8

Detects a phishing kit targeting users of M&T Bank.

The core processing of the phishing kit is hidden within the file named min2.js.

The kit also has a high entropy session ID present within the HTML, likely as a result of cloning the website.

References

https://urlscan.io/result/6b1866b8-84a3-4fb5-9e52-012c0a78e615
https://urlscan.io/result/41982e64-5972-4bef-9e1d-ee5bd2de1996

IOK Rule (edit)

title: M&T Bank Phishing Kit 6b1866b8
description: |
  Detects a phishing kit targeting users of M&T Bank.
  
  The core processing of the phishing kit is hidden
  within the file named `min2.js`.
  
  The kit also has a high entropy session ID present
  within the HTML, likely as a result of cloning the
  website.

references:
  - https://urlscan.io/result/6b1866b8-84a3-4fb5-9e52-012c0a78e615
  - https://urlscan.io/result/41982e64-5972-4bef-9e1d-ee5bd2de1996

detection:

  cachedSessionId:
    html|contains: 'a4e17797-fffe-477e-8870-3e5933445dce'
    
  processingScript:
    requests|contains: 'min2.js'

  condition: cachedSessionId and processingScript

tags:
  - kit
  - target.m&t_bank