diff --git a/indicators/facebook-pl-7d71c1c.yml b/indicators/facebook-pl-7d71c1c.yml
new file mode 100644
index 00000000..9c51638f
--- /dev/null
+++ b/indicators/facebook-pl-7d71c1c.yml
@@ -0,0 +1,29 @@
+title: Facebook Phishing Kit 7d71c1c
+description: |
+    Detects a Facebook phishing kit targeting 
+    Polish speaking users. Using the same Google
+    Tag ID across every domain deploying this kit
+    and using the same name for the logo file.
+    
+references:
+    - https://urlscan.io/result/4467573b-d13a-4f2c-85df-5dbce3de9eda
+    - https://urlscan.io/result/7d71c1c0-da74-41bf-b4c7-25e9ba421f1e
+    - https://urlscan.io/result/d4890e94-a7e6-4b9a-b4b2-fab8eaa3ccc3
+
+detection:
+
+    logo:
+      requests|contains: 'fb4.png'
+      
+    googleTagId:
+      dom|contains: 'UA-178388451-1'
+
+    invalidStylesheetReference:
+      dom|contains: 'https://fonts.googlay=swap'
+   
+    condition: logo and googleTagId and invalidStylesheetReference
+
+tags:
+  - target.facebook
+  - target_country.poland
+
diff --git a/indicators/facebook-pl-d71c1c.yml b/indicators/facebook-pl-d71c1c.yml
deleted file mode 100644
index c8eea3e1..00000000
--- a/indicators/facebook-pl-d71c1c.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Facebook Phishing Kit 7d71c1c
-description: |
-    Detects a Facebook phishing kit targeting 
-    Polish speaking users. Using the same login
-    form structure across all domains as well 
-    as using the same name for the logo file.
-    
-references:
-    - https://urlscan.io/result/4467573b-d13a-4f2c-85df-5dbce3de9eda
-    - https://urlscan.io/result/7d71c1c0-da74-41bf-b4c7-25e9ba421f1e
-    - https://urlscan.io/result/d4890e94-a7e6-4b9a-b4b2-fab8eaa3ccc3
-    - https://urlscan.io/result/dc6ff99f-d94c-4a7a-9337-af606fd6be21
-
-
-detection:
-
-    logo:
-      requests|contains: 'fb4.png'
-
-    loginElement:
-      html|contains|all:
-        - '<div class="loginbox">'
-        - '<input type="text" name="email" placeholder="Numer telefonu komÃ³rkowego lub adres e-mail"> <br>'
-        - '<input type="password" name="pass" placeholder="HasÅ‚o"> <br>'
-        - '<input type="submit" name="get" value="Zaloguj siÄ™"> <br>'
-   
-    condition: logo and loginElement
-
-tags:
-  - target.facebook
-  - target_country.poland
-
diff --git a/indicators/facebook-pl-f675021b.yml b/indicators/facebook-pl-f675021b.yml
new file mode 100644
index 00000000..43de0a72
--- /dev/null
+++ b/indicators/facebook-pl-f675021b.yml
@@ -0,0 +1,29 @@
+title: Facebook Phishing Kit f675021b
+description: |
+    Detects a Facebook phishing kit targeting Polish users.
+
+references:
+  - https://urlscan.io/result/f675021b-9b3d-4729-885d-796c2b42433d
+  - https://urlscan.io/result/3fc04106-e4aa-41ab-824e-a9e364cff5dc
+  - https://urlscan.io/result/5bad220a-d5ed-479e-b00d-bd6e875d4fa8
+
+detection:
+
+    facebookLogo:
+      requests|contains: '/img/logo-fb.png'
+
+    mainPage:
+      requests|contains: 'authorize.php'
+
+    formAction:
+      dom|contains: '/savetofile.php'
+
+    bootstrapCSSHash:
+      dom|contains: '1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3'
+
+    condition: facebookLogo and mainPage and formAction and bootstrapCSSHash
+
+tags:
+  - kit
+  - target.facebook
+  - target_country.poland
