- This signature will alert to an unencrypted HTTP port 80 website GET request that involves an executable file (exe|zip|7z|rar|com|vbs|ps1) with the keywords Financial, Payment, or Invoice. This is monitoring for a likely compromised site attempting to pass off a malicious executable disguised as an invoice.
- Port 80 HTTP
Known False Positive Indicators
- Some County Bail sites that allow for checking Bail payment amounts will falsely trip this alert.
TROJAN Possible Malicious Invoice EXE