← Back to Explore
sublimehighRule
Link: Tycoon2FA phishing kit (non-exhaustive)
Detects links utilizing the Tycoon2FA phishing kit, identified by specific DOM structure patterns and CDN characteristics, combined with suspicious domain indicators such as free subdomain hosts or suspicious TLDs. As the Tycoon2FA kit is evolving, this rule will not detect all variants of Tycoon2FA phishing, and is designed to compliment existing and future detections.
Detection Query
type.inbound
and length(body.current_thread.links) < 10
and any(body.current_thread.links,
// initial suspicious link check
(
.href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.tld in $suspicious_tlds
or any(recipients.to,
strings.icontains(..href_url.url, .email.email)
and .email.domain.valid
)
)
// known Tycoon pattern (benign on its own, but a good confirming indicator when coupled with additional logic)
and any(ml.link_analysis(.).unique_urls_accessed,
.path in ("/cdn-cgi/rum")
)
// begin CAPTCHA options
and (
// Grid "CAPTCHA"
(
length(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
'//*/@class'
).nodes,
.raw
),
.
)
) == 5
and all(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
'//*/@class'
).nodes,
.raw
),
.
),
. in ("card", "title", "hint", "grid", "dot")
)
)
// Unsplash image selection "CAPTCHA"
or (
any(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
'//*/@class'
).nodes,
.raw
),
.
),
. in (
"captcha-container",
"puzzle-piece drag-hint",
"puzzle-image"
)
)
or length(filter(ml.link_analysis(.).unique_urls_accessed,
.domain.domain == "images.unsplash.com"
)
) > 4
or any(file.explode(ml.link_analysis(.).final_dom),
length(filter(.scan.javascript.identifiers,
strings.icontains(., "puzzle")
)
) > 3
)
or strings.ilike(ml.link_analysis(.).final_dom.raw,
"*Please align the puzzle correctly*",
"*Verified! You may proceed*",
"*Human Check*",
"*needs to review the security of your connection before proceeding.*"
)
)
// Randomized image domain CAPTCHA
// all image URL domains accessed are unique from each other
or (
length(filter(ml.link_analysis(.).unique_urls_accessed,
any([".jpg", ".png", ".jpeg"],
strings.ends_with(..path, .)
)
)
) == length(distinct(filter(ml.link_analysis(.).unique_urls_accessed,
any([".jpg", ".png", ".jpeg"],
strings.ends_with(..path, .)
)
),
.domain.root_domain
)
)
and length(filter(ml.link_analysis(.).unique_urls_accessed,
any([".jpg", ".png", ".jpeg"],
strings.ends_with(..path, .)
)
)
) > 4
)
// Reoccuring form pattern
or length(html.xpath(ml.link_analysis(.).final_dom,
"//form[@method='POST']//input[@name='zone' and @type='hidden']"
).nodes
) == 1
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Tycoon2FA phishing kit (non-exhaustive)"
description: "Detects links utilizing the Tycoon2FA phishing kit, identified by specific DOM structure patterns and CDN characteristics, combined with suspicious domain indicators such as free subdomain hosts or suspicious TLDs. As the Tycoon2FA kit is evolving, this rule will not detect all variants of Tycoon2FA phishing, and is designed to compliment existing and future detections."
type: "rule"
severity: "high"
source: |
type.inbound
and length(body.current_thread.links) < 10
and any(body.current_thread.links,
// initial suspicious link check
(
.href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.tld in $suspicious_tlds
or any(recipients.to,
strings.icontains(..href_url.url, .email.email)
and .email.domain.valid
)
)
// known Tycoon pattern (benign on its own, but a good confirming indicator when coupled with additional logic)
and any(ml.link_analysis(.).unique_urls_accessed,
.path in ("/cdn-cgi/rum")
)
// begin CAPTCHA options
and (
// Grid "CAPTCHA"
(
length(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
'//*/@class'
).nodes,
.raw
),
.
)
) == 5
and all(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
'//*/@class'
).nodes,
.raw
),
.
),
. in ("card", "title", "hint", "grid", "dot")
)
)
// Unsplash image selection "CAPTCHA"
or (
any(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
'//*/@class'
).nodes,
.raw
),
.
),
. in (
"captcha-container",
"puzzle-piece drag-hint",
"puzzle-image"
)
)
or length(filter(ml.link_analysis(.).unique_urls_accessed,
.domain.domain == "images.unsplash.com"
)
) > 4
or any(file.explode(ml.link_analysis(.).final_dom),
length(filter(.scan.javascript.identifiers,
strings.icontains(., "puzzle")
)
) > 3
)
or strings.ilike(ml.link_analysis(.).final_dom.raw,
"*Please align the puzzle correctly*",
"*Verified! You may proceed*",
"*Human Check*",
"*needs to review the security of your connection before proceeding.*"
)
)
// Randomized image domain CAPTCHA
// all image URL domains accessed are unique from each other
or (
length(filter(ml.link_analysis(.).unique_urls_accessed,
any([".jpg", ".png", ".jpeg"],
strings.ends_with(..path, .)
)
)
) == length(distinct(filter(ml.link_analysis(.).unique_urls_accessed,
any([".jpg", ".png", ".jpeg"],
strings.ends_with(..path, .)
)
),
.domain.root_domain
)
)
and length(filter(ml.link_analysis(.).unique_urls_accessed,
any([".jpg", ".png", ".jpeg"],
strings.ends_with(..path, .)
)
)
) > 4
)
// Reoccuring form pattern
or length(html.xpath(ml.link_analysis(.).final_dom,
"//form[@method='POST']//input[@name='zone' and @type='hidden']"
).nodes
) == 1
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free subdomain host"
- "Evasion"
- "Credential Phishing"
detection_methods:
- "URL analysis"
- "HTML analysis"
- "Content analysis"
id: "a070d4e2-9d0c-5b85-b7a5-18ee6fb66720"