PhaaS: Impact Solutions (Impact Vector Suite)

calendar Jan 23, 2026  ·
Share on: linkedin copy

Identifies the use of the Impact Solutions PhaaS.

Impact Vector Suite is a full-spectrum payload delivery platform, engineered for stealth-optimized execution across all major deployment vectors.

Sublime rule (View on GitHub)

 1name: "PhaaS: Impact Solutions (Impact Vector Suite)"
 2description: |
 3  Identifies the use of the Impact Solutions PhaaS.
 4
 5  Impact Vector Suite is a full-spectrum payload delivery platform, engineered for stealth-optimized execution across all major deployment vectors.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    // attached html/svg
12    any(filter(attachments, .file_type in ("html", "svg")),
13        regex.count(file.parse_text(.).text,
14                    'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
15        ) >= 3
16        or (
17          strings.icontains(file.parse_text(.).text, 'const baseDomain')
18          and strings.icontains(file.parse_text(.).text, 'const port')
19          and strings.icontains(file.parse_text(.).text, 'const path')
20        )
21        or strings.icontains(file.parse_text(.).text, 'impact?')
22        or regex.contains(file.parse_text(.).text, '\d/impact')
23    )
24  
25    // attached EMLs with html/svg attachments
26    or any(filter(attachments,
27                  .content_type == "message/rfc822" or .file_extension == "eml"
28           ),
29           any(filter(file.parse_eml(.).attachments,
30                      .file_type in ("html", "svg")
31               ),
32               regex.count(file.parse_text(.).text,
33                           'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
34               ) >= 3
35               or (
36                 strings.icontains(file.parse_text(.).text, 'const baseDomain')
37                 and strings.icontains(file.parse_text(.).text, 'const port')
38                 and strings.icontains(file.parse_text(.).text, 'const path')
39               )
40               or strings.icontains(file.parse_text(.).text, 'impact?')
41               or regex.contains(file.parse_text(.).text, '\d/impact')
42           )
43    )
44  
45    // direct body links
46    or any(body.links,
47           (
48             strings.icontains(.href_url.url, "impact?session_")
49             or strings.icontains(.href_url.url, "/impact")
50           )
51           and (
52             strings.icontains(.href_url.url, ":8443")
53             or strings.icontains(.href_url.url, ":2087")
54           )
55    )
56  )  
57attack_types:
58  - "Credential Phishing"
59tactics_and_techniques:
60  - "Evasion"
61detection_methods:
62  - "Content analysis"
63id: "4d197faf-31bc-5f09-bf60-9f6a52f913a9"
to-top