Hiya,
our team received an alert for the signature ET ADWARE_PUP Observed DNS Query to Passive Income App Domain (honeybook .com) which when I looked at the signature for contains the following:
alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Passive Income App Domain (honeybook .com)";
dns.query;
dotprefix;
content:".honeybook.com";
nocase;
endswith;
classtype:pup-activity;
sid:2067483;
rev:1;
metadata:attack_target Client_Endpoint, created_at 2026_02_11, deployment Perimeter, malware_family PUP, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_02_11;)
From researching, honeybook[.]com looks to be a CRM tool, and the actual passive income tool is called honeygain[.]com
Screenshot below attempts to show this a bit better
Just wanted to mention this incase it is the incorrect domain and needs to be tweaked 