HTTP Basic Authentication is commonly used as a quick and dirty credential harvesting mechanism in low-complexity phishing attacks. These authentication events traversing the network in the clear also subjects the transmitted credentials to theft at any portion of the network path.

HTTP Basic Authentication event can be detected by the presence of the Authentication header in the POST request, followed by the word Basic and a base64 encoded string that is the username and password without any further encryption/obfuscation.

Keep.

192.168.1.112   	50581 	40.100.29.8   	80