Low Severity
Inline image as message with attachment or link
Description
Using inline images in lieu of HTML or text content in the message is a known technique used to bypass content based scanning engines.
We've observed this technique used to deliver malware via attachments and phish credentials.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and length(body.html.raw) < 200
and length(body.links) > 0
and (
// as of 20220116 there's a link parsing bug with .png inline images, so ignore those
any(body.links, not strings.ilike(.href_url.url, "*.png"))
// cid images are treated as attachments, so we're looking for more than 1
or (
length(attachments) > 1
and any(attachments, .file_type not in $file_types_images)
)
)
and strings.ilike(body.html.raw, "*img*cid*")
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Playground
Test against your own EMLs or sample data.