Fake corporate proxy / TLS-inspection root CA install lure — spoofed-IT mail "install your company's TLS-inspection root CA" → user installs attacker root CA → silent AiTM org-wide. Sender NOT on the canonical IT-vendor / MDM allowlist (microsoft.com, microsoftonline.com, azure.com, apple.com, jamf.com, kandji.io, mosyle.com, vmware.com, workspaceone.com, cisco.com, meraki.com, paloaltonetworks.com, fortinet.com, crowdstrike.com, sentinelone.com, symantec.com, mcafee.com, trendmicro.com, sophos.com, kaspersky.com, google.com, workspace.google.com). Real corporate root CAs are deployed via MDM (Intune, JAMF, Workspace ONE, Kandji, GPO), never via user-facing inbound email link with a download URL. Distinct from R7 SSO-migration auth-flow lures — this signal is specifically the OS-trust-store manipulation pretext (engine cannot stop the CA install but CAN flag the email itself). Source: Red-Team R8 multi-agent council S3 (technical-AiTM specialist), Lead consensus C2 dissent.

Fake corporate proxy / TLS-inspection root CA install lure targeting corporate users + remote-work staff who routinely receive IT-policy emails. The phish narrative arrives as: "Per the new corporate security policy, you must install the company TLS-inspection root CA certificate on all your devices within 48 hours. Click the link below to download the root CA certificate and install it in your OS trust store. Action required," or "Your IT team has issued a new root CA certificate for HTTPS / TLS inspection. Download the .crt file and import it into your system certificate store within 24 hours. Failure to install the trusted root CA will block your network access." Installing the attacker-supplied root CA into the OS trust store grants the attacker silent AiTM (adversary-in-the-middle) capability for all outbound HTTPS traffic from the device — every TLS connection can be transparently decrypted, modified, and re-encrypted, with the OS treating the attacker proxy as a legitimate trust anchor. Real corporate root CAs are deployed via MDM (Microsoft Intune, JAMF, VMware Workspace ONE, Kandji, GPO / Active Directory) with no user-facing prompt or email link — the certificate is silently installed via the MDM agent. Real IT teams never email a `.crt` / `.pem` / `.cer` download link with deadline pressure. Sender NOT on the canonical IT-vendor / MDM / EDR allowlist (microsoft.com, microsoftonline.com, azure.com, apple.com, jamf.com, kandji.io, mosyle.com, vmware.com, workspaceone.com, cisco.com, meraki.com, paloaltonetworks.com, fortinet.com, crowdstrike.com, sentinelone.com, symantec.com, mcafee.com, trendmicro.com, sophos.com, kaspersky.com, google.com, workspace.google.com). Distinct from R7 SSO-migration auth-flow lures — this signal is specifically the OS-trust-store manipulation pretext (engine cannot stop the CA install at the OS layer, but CAN flag the inbound email and label it). Fires when body references root CA (cert/certificate) / CA cert(ificate) / TLS-inspection / SSL-inspection / HTTPS-inspection / certificate (authority/store) / OS (trust/certificate) store / system (trust/certificate) store / trusted root / trust (store/anchor) AND install (the/root CA/CA cert/certificate/trusted root/.crt/.pem/.cer) / import (the/root CA/CA cert/certificate/.crt/.pem/.cer/trusted root) / download (the/root CA/CA cert/.crt/.pem/.cer) / deploy (the) root CA / trust (the) (root CA/new CA) AND company / corporate / enterprise / IT (team/department/security/admin) / your IT / company (security/policy) / corporate (security/policy) / new security policy / TLS-inspection / HTTPS-inspection / network access AND within N hours-days / 24 hours / 48 hours / action required / mandatory / block(ed) / interruption / policy update / failure to install urgency. Excludes the canonical IT-vendor / MDM / EDR domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S3 (technical-AiTM specialist), Lead consensus C2 dissent.