• Sublime Core Feed
High Severity

Link: Tycoon2FA phishing kit (non-exhaustive)

Labels

Credential Phishing
Free subdomain host
Evasion
Credential Phishing
URL analysis
HTML analysis
Content analysis

Description

Detects links utilizing the Tycoon2FA phishing kit, identified by specific DOM structure patterns and CDN characteristics, combined with suspicious domain indicators such as free subdomain hosts or suspicious TLDs. As the Tycoon2FA kit is evolving, this rule will not detect all variants of Tycoon2FA phishing, and is designed to compliment existing and future detections.

References

No references.

Sublime Security
Created Dec 2nd, 2025 • Last updated Dec 2nd, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.current_thread.links) < 10
and any(body.current_thread.links,
        // initial suspicious link check
        (
          .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.tld in $suspicious_tlds
          or any(recipients.to,
                 strings.icontains(..href_url.url, .email.email)
                 and .email.domain.valid
          )
        )

        // known Tycoon pattern (benign on its own, but a good confirming indicator when coupled with additional logic)
        and any(ml.link_analysis(.).unique_urls_accessed,
                .path in ("/cdn-cgi/rum")
        )

        // begin CAPTCHA options
        and (
          // Grid "CAPTCHA"
          (
            length(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
                                           '//*/@class'
                                ).nodes,
                                .raw
                            ),
                            .
                   )
            ) == 5
            and all(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
                                            '//*/@class'
                                 ).nodes,
                                 .raw
                             ),
                             .
                    ),
                    . in ("card", "title", "hint", "grid", "dot")
            )
          )
          // Unsplash image selection "CAPTCHA"
          or (
            any(distinct(map(html.xpath(ml.link_analysis(.).final_dom,
                                        '//*/@class'
                             ).nodes,
                             .raw
                         ),
                         .
                ),
                . in (
                  "captcha-container",
                  "puzzle-piece drag-hint",
                  "puzzle-image"
                )
            )
            or length(filter(ml.link_analysis(.).unique_urls_accessed,
                             .domain.domain == "images.unsplash.com"
                      )
            ) > 4
            or any(file.explode(ml.link_analysis(.).final_dom),
                   length(filter(.scan.javascript.identifiers,
                                 strings.icontains(., "puzzle")
                          )
                   ) > 3
            )
            or strings.ilike(ml.link_analysis(.).final_dom.raw,
                             "*Please align the puzzle correctly*",
                             "*Verified! You may proceed*",
                             "*Human Check*"
            )
          )
          
          // Randomized image domain CAPTCHA
          // all image URL domains accessed are unique from each other
          or (
            length(filter(ml.link_analysis(.).unique_urls_accessed,
                          any([".jpg", ".png", ".jpeg"],
                              strings.ends_with(..path, .)
                          )
                   )
            ) == length(distinct(filter(ml.link_analysis(.).unique_urls_accessed,
                                        any([".jpg", ".png", ".jpeg"],
                                            strings.ends_with(..path, .)
                                        )
                                 ),
                                 .domain.root_domain
                        )
            )
            and length(filter(ml.link_analysis(.).unique_urls_accessed,
                              any([".jpg", ".png", ".jpeg"],
                                  strings.ends_with(..path, .)
                              )
                       )
            ) > 4
          )

          // Reoccuring form pattern
          or length(html.xpath(ml.link_analysis(.).final_dom,
                               "//form[@method='POST']//input[@name='zone' and @type='hidden']"
                    ).nodes
          ) == 1
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started