EXPLORE
Sign In
← Back to Explore
sublimemediumRule

PhaaS: Impact Solutions (Impact Vector Suite)

Identifies the use of the Impact Solutions PhaaS. Impact Vector Suite is a full-spectrum payload delivery platform, engineered for stealth-optimized execution across all major deployment vectors.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound
and (
  // attached html/svg
  any(filter(attachments, .file_type in ("html", "svg")),
      regex.count(file.parse_text(.).text,
                  'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
      ) >= 3
      or (
        strings.icontains(file.parse_text(.).text, 'const baseDomain')
        and strings.icontains(file.parse_text(.).text, 'const port')
        and strings.icontains(file.parse_text(.).text, 'const path')
      )
      or strings.icontains(file.parse_text(.).text, 'impact?')
      or regex.contains(file.parse_text(.).text, '\d/impact')
  )

  // attached EMLs with html/svg attachments
  or any(filter(attachments,
                .content_type == "message/rfc822" or .file_extension == "eml"
         ),
         any(filter(file.parse_eml(.).attachments,
                    .file_type in ("html", "svg")
             ),
             regex.count(file.parse_text(.).text,
                         'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
             ) >= 3
             or (
               strings.icontains(file.parse_text(.).text, 'const baseDomain')
               and strings.icontains(file.parse_text(.).text, 'const port')
               and strings.icontains(file.parse_text(.).text, 'const path')
             )
             or strings.icontains(file.parse_text(.).text, 'impact?')
             or regex.contains(file.parse_text(.).text, '\d/impact')
         )
  )

  // direct body links
  or any(body.links,
         (
           strings.icontains(.href_url.url, "impact?session_")
           or strings.icontains(.href_url.url, "/impact")
         )
         and (
           strings.icontains(.href_url.url, ":8443")
           or strings.icontains(.href_url.url, ":2087")
         )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "PhaaS: Impact Solutions (Impact Vector Suite)"
description: |
  Identifies the use of the Impact Solutions PhaaS.

  Impact Vector Suite is a full-spectrum payload delivery platform, engineered for stealth-optimized execution across all major deployment vectors.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    // attached html/svg
    any(filter(attachments, .file_type in ("html", "svg")),
        regex.count(file.parse_text(.).text,
                    'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
        ) >= 3
        or (
          strings.icontains(file.parse_text(.).text, 'const baseDomain')
          and strings.icontains(file.parse_text(.).text, 'const port')
          and strings.icontains(file.parse_text(.).text, 'const path')
        )
        or strings.icontains(file.parse_text(.).text, 'impact?')
        or regex.contains(file.parse_text(.).text, '\d/impact')
    )
  
    // attached EMLs with html/svg attachments
    or any(filter(attachments,
                  .content_type == "message/rfc822" or .file_extension == "eml"
           ),
           any(filter(file.parse_eml(.).attachments,
                      .file_type in ("html", "svg")
               ),
               regex.count(file.parse_text(.).text,
                           'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
               ) >= 3
               or (
                 strings.icontains(file.parse_text(.).text, 'const baseDomain')
                 and strings.icontains(file.parse_text(.).text, 'const port')
                 and strings.icontains(file.parse_text(.).text, 'const path')
               )
               or strings.icontains(file.parse_text(.).text, 'impact?')
               or regex.contains(file.parse_text(.).text, '\d/impact')
           )
    )
  
    // direct body links
    or any(body.links,
           (
             strings.icontains(.href_url.url, "impact?session_")
             or strings.icontains(.href_url.url, "/impact")
           )
           and (
             strings.icontains(.href_url.url, ":8443")
             or strings.icontains(.href_url.url, ":2087")
           )
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Content analysis"
id: "4d197faf-31bc-5f09-bf60-9f6a52f913a9"