-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathPhishingRegex.txt
125 lines (117 loc) · 2.7 KB
/
PhishingRegex.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
--------------------POTENTIAL LINKS TO HACKED WEBSITES-------------------
/wp-admin/
/wp-includes/
/wp-content/(?!\S{0,60}Campaign\S{0,2}\=)(?!\S{0,60}\.pdf[<\"\t\r\n])(?!\S{0,60}\.jpg[<"\t\r\n])
-------------------SUSPICIOUS PATTERNS-------------------
blocked\ your?\ online
suspicious\ activit
updated?\ your\ account\ record
Securely\ \S{3,4}\ one(\ )?drive
Securely\ \S{3,4}\ drop(\ )?box
Securely\ \S{3,4}\ Google\ Drive
sign\ in\S{0,7}(with\ )?\ your\ email\ address
Verify\ your\ ID\s
dear\ \w{3,8}(\ banking)?\ user
chase\S{0,10}\.html"
\b(?<=https?://)(www\.)?icloud(?!\.com)
(?<![\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A])appie\W
/GoogleDrive/
/googledocs?/
/Dropfile/
limit\ (and\ suspend\ )?your\ account
\b(?<=https?://)(?!www\.paypal\.com/)\S{0,40}pa?y\S{0,2}al(?!\S*\.com/)
sitey\.me
myfreesites\.net
/uploadfile/
/\S{0,3}outloo\S{0,2}k\S{1,3}\W
\b(?<=https?://webmail\.)\S{0,40}webmail\w{0,3}(?!/[0-9])(?!\S{0,40}\.com/)
owaportal
outlook\W365
/office\S{0,3}365/
-icloud\Wcom
pyapal
/docu\S{0,3}sign\S{1,4}/
/helpdesk/
pay\Sa\S{0,2}login
/natwest/
/dro?pbo?x/
%20paypal
\.invoice\.php
security-?err
/newdropbox/
/www/amazon
simplefileupload
security-?warning
-(un)?b?locked
//helpdesk(?!\.)
\.my-free\.website
mail-?update
\.yolasite\.com
//webmail(?!\.)
\.freetemplate\.site
\.sitey\.me
\.ezweb123\.com
\.tripod\.com
\.myfreesites\.net
mailowa
-icloud
icloud-
contabo\.net
\.xyz/
ownership\ validation\ (has\ )?expired
icloudcom
\w\.jar(?=\b)
/https?/www/
\.000webhost(app)?\.com
is\.gd/
\.weebly\.com
\.wix\.com
tiny\.cc/
\.joburg
\.top/
-------------------SUSPICIOUS PHRASES-------------------
word must be installed
prevent further unauthorized
prevent further unauthorised
informations has been
fallow our process
confirm your informations
failed to validate
unable to verify
delayed payment
activate your account
Update your payment
submit your payment
via Paypal
has been compromised
FRAUD NOTICE
your account will be closed
your apple id was used to sign in to
was blocked for violation
urged to download
that you validate your account
multiple login attempt
trying to access your account
suspend your account
restricted if you fail to update
informations on your account
update your account information
update in our security
Account Was Limited
verify and reactivate
--------------------SUSPICIOUS SUBJECTS-------------------
has\ been\ limited
We\ have\ locked
has\ been\ suspended
unusual\ activity
notifications\ pending
your\ (customer\ )?account\ has
your\ (customer\ )?account\ was
new voice(\ )?mail
Periodic\ Maintenance
refund\ not\ approved
account\ (is\ )?on\ hold
wire\ transfer
secure\ update
temporar(il)?y\ deactivated
verification\ required