Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Tycoon 2FA Document Delivery Webpage"; flow:established,to_client; http.response_body; content:"|2f 2f 20|Prevent|20|certain|20|key|20|combinations"; content:"|2f 2f 20|Bot|2d|protection|20|and|20|Turnstile|20|vars"; fast_pattern; content:"const|20|FILE|5f|URL|20 3d 20|atob"; reference:url,proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass; classtype:credential-theft; sid:2065670; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_11_05, deployment Perimeter, deployment SSLDecrypt, signature_severity Critical, tag Phishing, updated_at 2026_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing; target:dest_ip;)