Possibly incorrect domain for ET ADWARE_PUP signature

Hiya,

our team received an alert for the signature ET ADWARE_PUP Observed DNS Query to Passive Income App Domain (honeybook .com) which when I looked at the signature for contains the following:

alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Passive Income App Domain (honeybook .com)";
dns.query;
dotprefix;
content:".honeybook.com";
nocase;
endswith;
classtype:pup-activity;
sid:2067483;
rev:1;
metadata:attack_target Client_Endpoint, created_at 2026_02_11, deployment Perimeter, malware_family PUP, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_02_11;)

From researching, honeybook[.]com looks to be a CRM tool, and the actual passive income tool is called honeygain[.]com

Screenshot below attempts to show this a bit better

Just wanted to mention this incase it is the incorrect domain and needs to be tweaked :folded_hands:

1 Like

Hey @starbuck

Thanks for the detailed analysis! These are false positives and the rules should be removed within the next 30 mins or so.

Apologies for the noise!
Isaac

2 Likes

Thanks @starbuck @ishaughnessy !