• Sublime Core Feed
Low Severity

Inline image as message with attachment or link

Labels

Credential Phishing
Evasion
Image as content
Content analysis
HTML analysis
URL analysis

Description

Using inline images in lieu of HTML or text content in the message is a known technique used to bypass content based scanning engines.

We've observed this technique used to deliver malware via attachments and phish credentials.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.html.raw) < 200
and length(body.links) > 0
and (
  // as of 20220116 there's a link parsing bug with .png inline images, so ignore those
  any(body.links, not strings.ilike(.href_url.url, "*.png"))

  // cid images are treated as attachments, so we're looking for more than 1
  or (
    length(attachments) > 1
    and any(attachments, .file_type not in $file_types_images)
  )
)
and strings.ilike(body.html.raw, "*img*cid*")
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started