Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Tycoon 2FA Fake Captcha Check"; flow:established,to_client; http.response_body; content:"|3c|div|20|class|3d 22|captcha|2d|box|22 20|id|3d 22|captchaBox|22 3e|"; content:"|3c|div|20|class|3d 22|checkbox|22 20|id|3d 22|checkbox|22 20|role|3d 22|checkbox|22|"; content:"|3c|strong|3e|HumanCheck|3c 2f|strong|3e|"; fast_pattern; content:"checkbox|2e|addEventListener|28 27|keydown"; content:"verifyInstant|28 29|"; reference:url,proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass; classtype:credential-theft; sid:2065671; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_11_05, deployment Perimeter, deployment SSLDecrypt, signature_severity Critical, tag Phishing, updated_at 2026_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing; target:dest_ip;)