alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Tycoon 2FA Analysis Evasion"; flow:established,to_client; http.response_body; content:"|2e|includes|28 22|Burp|22 29|"; content:"|7b 20|keyCode|3a 20|123|20 7d 2c|"; content:"|7b 20|ctrl|3a 20|true|2c 20|keyCode|3a 20|85|20 7d|"; fast_pattern; content:"|7b 20|ctrl|3a 20|true|2c 20|shift|3a 20|true|2c 20|keyCode|3a 20|"; pcre:"/^(?:73|67|74|75|85)/R"; reference:url,proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass; classtype:credential-theft; sid:2065673; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_11_05, deployment Perimeter, deployment SSLDecrypt, signature_severity Critical, tag Phishing, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing; target:dest_ip;)