From 6d6ec66685de5d37a92e7abf7ee120cb1d956459 Mon Sep 17 00:00:00 2001
From: masaomi346 <masaomi346@gmail.com>
Date: Tue, 5 Sep 2023 11:10:40 +0900
Subject: [PATCH] add yml

---
 indicators/saison-b85570be.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 indicators/saison-b85570be.yml

diff --git a/indicators/saison-b85570be.yml b/indicators/saison-b85570be.yml
new file mode 100644
index 00000000..990d5b67
--- /dev/null
+++ b/indicators/saison-b85570be.yml
@@ -0,0 +1,21 @@
+title: SAISON Card Phishing Kit b85570be
+description: |
+    Detects a SAISON Card phishing kit targeting Japanese users.
+
+references:
+  - https://urlscan.io/result/b85570be-adc3-45f8-83ee-9a4a46737f89
+  - https://urlscan.io/result/4332baf6-7b01-49e9-9d88-b7dcb9ad5a33
+  - https://urlscan.io/result/7ddc9c4a-2a7d-403d-9743-82cb62f0eb02
+
+detection:
+    FormContains: 
+        html|contains: 
+            - 'name="loginForm" id="loginForm" method="post" action="USA0201UIP01SCR.do.php"'
+    pagePHP:
+        requests|contains: 'auth.php'
+
+    condition: FormContains and pagePHP
+
+tags:
+  - target.saison
+  - target_country.japan
\ No newline at end of file