Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Tycoon2FA Phishing Kit Style Evasion"; flow:established,to_client; http.response_body; content:"window|2e 5f|phantom|20 7c 7c 20|navigator|2e|userAgent|2e|includes|28 22|Burp|22 29 29|"; fast_pattern; content:"window|2e|location|20 3d 20 22|about|3a|blank|22 3b|"; distance:0; content:"event|2e|ctrlKey|20 26 26 20|event|2e|keyCode|20 3d 3d 3d 20|85|29|"; distance:0; content:"event|2e|keyCode|20 3d 3d 3d 20|73"; distance:0; reference:url,proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass; reference:url,app.any.run/tasks/811d0a20-70d7-4fe5-813e-3ae3c065ffab; classtype:credential-theft; sid:2059882; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_02_04, deployment Perimeter, deployment SSLDecrypt, malware_family Tycoon2FA, confidence High, signature_severity Critical, tag Phishing, updated_at 2026_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)