From ea08e91420bec3e35c62a2396747c49e5c2f23c7 Mon Sep 17 00:00:00 2001
From: Lightning <154468000+LightningDev23@users.noreply.github.com>
Date: Tue, 2 Jul 2024 10:06:30 -0400
Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80=20Create=20discord-fake-404-kit.ym?=
 =?UTF-8?q?l?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Detects a fake 404 page that is used on Discord phishing templates. These sites often have hidden paths of /login with a fake Discord login.
---
 indicators/discord-fake-404-kit.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 indicators/discord-fake-404-kit.yml

diff --git a/indicators/discord-fake-404-kit.yml b/indicators/discord-fake-404-kit.yml
new file mode 100644
index 00000000..9d160a9f
--- /dev/null
+++ b/indicators/discord-fake-404-kit.yml
@@ -0,0 +1,25 @@
+title: Discord Fake 404 Kit
+description: |
+  Detects a fake 404 page that is used on Discord phishing templates. These sites often have hidden paths of /login with a fake Discord login.
+references:
+    - https://urlscan.io/result/43143a94-ee73-46da-a877-e0f0e5eb5d0c/
+    - https://urlscan.io/result/d360ec5c-ec44-484e-8bf5-7ad3a296adbb/
+    - https://urlscan.io/search/#page.title%3A%22Page%20Not%20Found%20%7C%20404%22
+
+detection:
+
+  pageTitle:
+    title: "Page Not Found | 404"
+
+  pageHTML:
+    html|contains|all:
+      - "<head><title>Page Not Found | 404</title>"
+      - "https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,100;0,300;0,400;0,500;0,700;0,900;1,100;1,300;1,400;1,500;1,700;1,900&display=swap"
+      - "This page was not found, please try again later!"
+      - "<h1>PAGE NOT FOUND!</h1>"
+
+  condition: pageTitle and pageHTML
+
+tags:
+  - kit
+  - target.discord