Update phaas_impact_solutions.yml (#3755)

Co-authored-by: CI Bot <hello@sublimesecurity.com>
Co-authored-by: Aiden Mitchell <me@aidenmitchell.ca>
Co-authored-by: Sam Scholten <sam@sublimesecurity.com>

Author: 4 people

detection-rules/phaas_impact_solutions.yml

@@ -8,33 +8,50 @@ severity: "medium"
 source: |
   type.inbound
   and (
-    (
-      length(attachments) >= 1
-      and any(attachments,
-              .size < 10000
-              and .file_extension == "htm"
-              and (
-                regex.icontains(file.parse_html(.).raw,
-                                "const (?:urlParts|fakeEvent|progressBar|segments)"
-                )
-                or any([file.parse_html(.).raw],
-                       strings.icontains(., "impact?")
-                       or strings.icontains(., "/impact")
-                )
-              )
-      )
+    // attached html/svg
+    any(filter(attachments, .file_type in ("html", "svg")),
+        regex.count(file.parse_text(.).text,
+                    'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
+        ) >= 3
+        or (
+          strings.icontains(file.parse_text(.).text, 'const baseDomain')
+          and strings.icontains(file.parse_text(.).text, 'const port')
+          and strings.icontains(file.parse_text(.).text, 'const path')
+        )
+        or strings.icontains(file.parse_text(.).text, 'impact?')
+        or regex.contains(file.parse_text(.).text, '\d/impact')
     )
-    or (
-      any(body.links,
-          (
-            strings.icontains(.href_url.url, "impact?")
-            or strings.icontains(.href_url.url, "/impact")
-          )
-          and (
-            strings.icontains(.href_url.url, ":8443")
-            or strings.icontains(.href_url.url, ":2087")
-          )
-      )
+  
+    // attached EMLs with html/svg attachments
+    or any(filter(attachments,
+                  .content_type == "message/rfc822" or .file_extension == "eml"
+           ),
+           any(filter(file.parse_eml(.).attachments,
+                      .file_type in ("html", "svg")
+               ),
+               regex.count(file.parse_text(.).text,
+                           'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
+               ) >= 3
+               or (
+                 strings.icontains(file.parse_text(.).text, 'const baseDomain')
+                 and strings.icontains(file.parse_text(.).text, 'const port')
+                 and strings.icontains(file.parse_text(.).text, 'const path')
+               )
+               or strings.icontains(file.parse_text(.).text, 'impact?')
+               or regex.contains(file.parse_text(.).text, '\d/impact')
+           )
+    )
+  
+    // direct body links
+    or any(body.links,
+           (
+             strings.icontains(.href_url.url, "impact?session_")
+             or strings.icontains(.href_url.url, "/impact")
+           )
+           and (
+             strings.icontains(.href_url.url, ":8443")
+             or strings.icontains(.href_url.url, ":2087")
+           )
     )
   )
 attack_types: