[PR #3554] added rule: PhaaS: Impact Solutions (Impact Vector Suite)

Author: github-actions[bot]

detection-rules/3554_phaas_impact_solutions.yml

@@ -0,0 +1,37 @@
+name: "PhaaS: Impact Solutions (Impact Vector Suite)"
+description: |
+  Identifies the use of the Impact Solutions PhaaS.
+
+  Impact Vector Suite is a full-spectrum payload delivery platform, engineered for stealth-optimized execution across all major deployment vectors.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) >= 1
+  and any(attachments,
+          .size < 10000
+          and .file_extension == "htm"
+          and (
+            regex.icontains(file.parse_html(.).raw,
+                            "const (?:urlParts|fakeEvent|progressBar|segments)"
+            )
+            or any([file.parse_html(.).raw],
+                  strings.icontains(., "impact?")
+                  or strings.icontains(., "/impact")
+                  or strings.icontains(., ":8443")
+                  or strings.icontains(., "file://")
+            )
+          )
+  )
+
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+id: "5ab4e668-916c-5ef5-8fed-0bb53205baa7"
+og_id: "4d197faf-31bc-5f09-bf60-9f6a52f913a9"
+testing_pr: 3554
+testing_sha: 3e53bd00f0f766e8f2580082399ba0723b123cf6