id: iCloud-phish

info:
  name: iCloud phishing Detection
  author: rxerium
  severity: info
  description: |
    A iCloud phishing website was detected
  reference:
    - https://icloud.com
  tags: phishing,icloud,osint

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Log in to iCloud to access your photos, mail, notes, documents and more. Sign in with your Apple ID or create a new account to start using Apple services.'

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - '!contains(host,"icloud.com")'
          - '!contains(host,"apple.com")'
        condition: and
# digest: 4a0a004730450220093cce4f06a8d3c0ea352f9adcbc7853f3876c9db77d7d85b7c2fceaaa293db0022100db586ee7394be3d2d6131156aeceb412938661c751168eca52277889ee373a8c:922c64590222798bb761d5b6d8e72950