diff --git a/indicators/webmail-27971b3a.yml b/indicators/webmail-27971b3a.yml
new file mode 100644
index 0000000..c2f659d
--- /dev/null
+++ b/indicators/webmail-27971b3a.yml
@@ -0,0 +1,19 @@
+title: Webmail Phishing 27971b3a
+description: |
+  Detects a phishing kit impersonating Webmail.
+  
+references:
+  - https://urlscan.io/result/27971b3a-f9f4-44ea-9df6-b3af1e386048/
+  - https://urlscan.io/search/#filename%3A%22evergageSmall.min.js.download%22
+  
+detection:
+
+  imageAssets:
+    requests|endswith|all: 
+      - "/images/logo_1.png"
+      - "/images/logo_2.png"
+    
+  randomString:
+    html|contains: 'bis_register="W3sibWFzdGVyIjp0cnVlLCJleHRlbnNpb25JZCI6ImVwcGlvY2VtaG1ubGJoanBsY2drb2ZjaWllZ29tY29uIiwiYWRibG9ja2VyU3RhdHVzIjp7IkRJU1BMQVkiOiJlbmFibGVkIiwiRkFDRUJPT0siOiJlbmFibGVkIiwiVFdJVFRFUiI6ImVuYWJsZWQiLCJSRURESVQiOiJkaXNhYmxlZCJ9LCJ2ZXJzaW9uIjoiMS45LjAzIiwic2NvcmUiOjEwOTAzMH1d"'
+  
+  condition: imageAssets and randomString