IPS Phishing Block

For whatever reason, my wife comes across more phishing attempts than anyone I know. Had a chance to capture some of this data so you can see how it behaves in real life both with and without Zscaler.

Threat: Phishing
Initial Transport: Text Message
Method: Link
Target: Facebook credentials

Screenshot of actual text message

You’d think a link that looks like that nobody would actually click. You’d be surprised. The actual link is:


Not the phisher (is that even a word?) used http and not https.

The phisher asks the victim to confirm their identity:

When victim click the link, they are sent to:


Again, HTTP and not HTTPS

Where they are presented a facebook login page:

Once the victim types in their username and password are sent to:


And the user is then redirected to the facebook terms of service page.

If the victim has Zscaler running, the user is protected, via IPS signature, before they have the chance to enter their credentials.

We classify this URL:


As phishing, specifically HTML.Phish.Facebook:

Now, let’s see it in action.

Without Zscaler:

With Zscaler:

Let me know if you have any questions.

Note: The value of statusid is dynamic and will change each time the URL is hit. The URL appears to be dead at this point.