Versions (2)
Version DetailsCurrent
Rev: 2 • Jul 14, 2025, 12:00 PMET PHISHING Tycoon2FA Phish Redirected Decoy Page 2025-07-14, Generic
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Tycoon2FA Phish Redirected Decoy Page 2025-07-14, Generic"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"<script>"; distance:0; content:"atob("; distance:0; content:"8dGl0bGU+"; distance:0; content:"jwvdGl0bGU+"; distance:0; content:"A8c2VjdGlvbiBpZD0idGVzdGltb25pYWxzIiBjbGFzcz0idGVzdGltb25pYWxzIj4"; fast_pattern; content:"PGgyPldoYXQgT3Vy"; content:"EpvaG4gRG9l"; content:"EphbmUgU21pdGg"; content:"document.write("; distance:0; content:"document.currentScript"; distance:0; content:".parentNode.removeChild("; distance:0; content:"</script>"; distance:0; reference:url,t7f4e9n3.delivery.rocketcdn.me/wp-content/uploads/2025/06/Sekoia_io___Global_analysis_of_Adversary_in_the_Middle_phishing_threats.pdf; reference:url,trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025/; reference:url,urlscan.io/result/0195d202-70b7-799b-9c81-a57224c2c65d/#transactions; classtype:credential-theft; sid:2063449; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_07_14, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Critical, tag Phishing, tag Tycoon2FA, updated_at 2026_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)Jul 14, 2025, 12:00 PM
Jan 29, 2026, 12:00 PM
Jul 14, 2025, 9:34 PM
Jan 29, 2026, 10:34 PM
rules/emerging-phishing.rules