Credential Phishing: W-2 lure with inline SVG Windows logo

 1name: "Credential Phishing: W-2 lure with inline SVG Windows logo"
 2description: "Detects inbound messages containing a link with W-2 display text and an inline SVG constructed from four colored rectangles approximating the Microsoft Windows logo. Threat actors use hand-crafted SVG elements rather than image attachments to bypass image-based detection and render a convincing Windows or Microsoft brand impersonation directly in the email body. The color matching uses fuzzy hex ranges to account for minor variations across campaigns."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // display text contains a reference to W2
 8  and any(body.current_thread.links,
 9          regex.icontains(strings.replace_confusables(.display_text),
10                          '(?:W|VV)\s*-?\s*2'
11          )
12  )
13  // inline SVG that mimics the Windows logo
14  and regex.icontains(body.html.raw,
15                      '<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[c-f][0-9a-f][0-3][0-9a-f][0-3][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[0-3][0-9a-f][8-f][0-9a-f][2-6][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[0-3][0-9a-f][5-9][0-9a-f][a-f][0-9a-f]">\s*<\/rect>\s*<rect x="\d+" y="\d+" width="\d+" height="\d+" fill="#[c-f][0-9a-f][a-f][0-9a-f][0-3][0-9a-f]">\s*<\/rect>\s*<\/svg>\s*<\/td>'
16  )  
17attack_types:
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Evasion"
21  - "HTML smuggling"
22  - "Social engineering"
23detection_methods:
24  - "Content analysis"
25  - "HTML analysis"
26id: "28db8459-dbc5-52c1-8863-4ede01cf104a"