High Severity

Attachment: JPEG with gd-jpeg creator and suspicious file name

Labels

Credential Phishing
Evasion
File analysis
Exif analysis

Description

Detects inbound messages containing a single JPEG attachment with specific filename patterns and EXIF metadata indicating creation by gd-jpeg v1.0. This has been observed being used to produce company logos used within phishing messages.

References

No references.

Sublime Security
Created Jun 12th, 2026 • Last updated Jun 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(filter(attachments, .file_type == "jpg")) == 1
and any(attachments,
        .file_type == "jpg"
        and .file_extension == "jpeg"
        and strings.icontains(.file_name, 'images')
        and (
          strings.count(.file_name, '/') == 1
          or strings.count(.file_name, 'image') == 2
        )
        and any(beta.parse_exif(.).fields,
                .key =~ "Comment"
                and strings.istarts_with(.value, 'CREATOR: gd-jpeg v1.0')
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started