diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml
index cc8a66a0..ac400a36 100644
--- a/rules/proxy/proxy_ua_suspicious.yml
+++ b/rules/proxy/proxy_ua_suspicious.yml
@@ -20,6 +20,7 @@ detection:
         - ' Mozilla/*'  # leading space 
         - 'Mozila/*'  # single 'l'
         - '_'
+        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
     falsepositives:
         UserAgent:
             - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content