ET PHISHING Tycoon 2FA Document Delivery Webpage

SID: 2065670Rev: 21 viewsHistory

Sourceet/open

CreatedNovember 5, 2025

UpdatedJanuary 29, 2026

Classificationcredential-theft

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Tycoon 2FA Document Delivery Webpage"; flow:established,to_client; http.response_body; content:"|2f 2f 20|Prevent|20|certain|20|key|20|combinations"; content:"|2f 2f 20|Bot|2d|protection|20|and|20|Turnstile|20|vars"; fast_pattern; content:"const|20|FILE|5f|URL|20 3d 20|atob"; reference:url,proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass; classtype:credential-theft; sid:2065670; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_11_05, deployment Perimeter, deployment SSLDecrypt, signature_severity Critical, tag Phishing, updated_at 2026_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing; target:dest_ip;)

References

url	proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass

Metadata

attack targetClient_Endpoint

tls stateTLSDecrypt

created at2025_11_05

deploymentSSLDecrypt

signature severityCritical

tagPhishing

updated at2026_01_29

mitre tactic idTA0001

mitre tactic nameInitial_Access

mitre technique idT1566

mitre technique namePhishing

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!