EXPLORE
Sign In
← Back to Explore
sublimehighRule

Credential Phishing: W-2 lure with inline SVG Windows logo

Detects inbound messages containing a link with W-2 display text and an inline SVG constructed from four colored rectangles approximating the Microsoft Windows logo. Threat actors use hand-crafted SVG elements rather than image attachments to bypass image-based detection and render a convincing Windows or Microsoft brand impersonation directly in the email body. The color matching uses fuzzy hex ranges to account for minor variations across campaigns.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound
// display text contains a reference to W2
and any(body.current_thread.links,
        regex.icontains(strings.replace_confusables(.display_text),
                        '(?:W|VV)\s*-?\s*2'
        )
)
// inline SVG that mimics the Windows logo
and regex.icontains(body.html.raw,
                    '<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[c-f][0-9a-f][0-3][0-9a-f][0-3][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[0-3][0-9a-f][8-f][0-9a-f][2-6][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[0-3][0-9a-f][5-9][0-9a-f][a-f][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[c-f][0-9a-f][a-f][0-9a-f][0-3][0-9a-f]">\s*<\/rect>\s*<\/svg>\s*<\/td>'
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Credential Phishing: W-2 lure with inline SVG Windows logo"
description: "Detects inbound messages containing a link with W-2 display text and an inline SVG constructed from four colored rectangles approximating the Microsoft Windows logo. Threat actors use hand-crafted SVG elements rather than image attachments to bypass image-based detection and render a convincing Windows or Microsoft brand impersonation directly in the email body. The color matching uses fuzzy hex ranges to account for minor variations across campaigns."
type: "rule"
severity: "high"
source: |
  type.inbound
  // display text contains a reference to W2
  and any(body.current_thread.links,
          regex.icontains(strings.replace_confusables(.display_text),
                          '(?:W|VV)\s*-?\s*2'
          )
  )
  // inline SVG that mimics the Windows logo
  and regex.icontains(body.html.raw,
                      '<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[c-f][0-9a-f][0-3][0-9a-f][0-3][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[0-3][0-9a-f][8-f][0-9a-f][2-6][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[0-3][0-9a-f][5-9][0-9a-f][a-f][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[c-f][0-9a-f][a-f][0-9a-f][0-3][0-9a-f]">\s*<\/rect>\s*<\/svg>\s*<\/td>'
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "HTML smuggling"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "HTML analysis"
id: "28db8459-dbc5-52c1-8863-4ede01cf104a"