From 90e3eee92c0e982bcaf23c3df46e4138e2c4bc53 Mon Sep 17 00:00:00 2001
From: railisac <158490223+railisac@users.noreply.github.com>
Date: Mon, 12 Jan 2026 17:36:16 +0100
Subject: [PATCH] Add JA4 signatures for login attempts

Added dedicated fields to document JA4, JA4HTTP & JA4TCP signatures when a TA / phishing kit attempts to authenticate toward a service, typically Entra.

As an example, Entra records since December 2025 JA4 signatures in field GatewayJA4.
---
 .../spearphishing-campaign/definition.json    | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/objects/spearphishing-campaign/definition.json b/objects/spearphishing-campaign/definition.json
index b480f6f2..b7e15894 100644
--- a/objects/spearphishing-campaign/definition.json
+++ b/objects/spearphishing-campaign/definition.json
@@ -42,6 +42,24 @@
       "multiple": true,
       "ui-priority": 1
     },
+    "mitm-connect-back-ja4": {
+      "description": "JA4 signature used by the TA for log in attempts",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "mitm-connect-back-ja4http": {
+      "description": "JA4HTTP signature used by the TA for log in attempts",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "mitm-connect-back-ja4tcp": {
+      "description": "JA4TCP signature used by the TA for log in attempts",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
     "phishing-domain": {
       "description": "Domain where the phishing stages are hosted",
       "misp-attribute": "domain",
@@ -72,5 +90,5 @@
     "phishing-domain"
   ],
   "uuid": "20241206-9e59-4b7d-9e88-951458f10a5f",
-  "version": 20250919
-}
\ No newline at end of file
+  "version": 20260112
+}