- Credential Phishing
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Attack Type: Credential Phishing
Credential phishing attacks are designed to steal your login information by tricking you into entering it on fake login pages. These emails impersonate trusted services like Microsoft 365, Google Workspace, or banking sites, using urgent phrases like “verify your account,” “prevent suspension,” or “view shared document” to push you into clicking.
Once you click the link, it leads to a fake login page that looks convincing. If you enter your credentials, the attacker captures them immediately. Common examples include phishing emails pretending to be DocuSign requests, Dropbox links, or HR file shares—things that feel routine but create a false sense of urgency.
Attackers often use real platforms like Microsoft Forms, Google Forms, or compromised websites to host these fake login pages, making the links appear legitimate and harder for security tools to catch. The damage doesn’t stop at just stealing your login. Once attackers gain access, they can move through your organization, steal sensitive data, send internal phishing emails, or even launch a ransomware attack.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Email Topic Modeling: Simplifying detection with ML-powered granularity · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Tactics & Techniques (25):
Evasion
Free file host
Social engineering
Impersonation: Brand
PDF
QR code
Encryption
Lookalike domain
OneNote
Free subdomain host
Open redirect
Scripting
Spoofing
Free email provider
Image as content
Impersonation: Employee
Impersonation: VIP
Macros
IPFS
HTML injection
HTML smuggling
LNK
Out of band pivot
Exploit
Punycode
Detection Methods (20):
Natural Language Understanding
Computer Vision
Optical Character Recognition
URL analysis
URL screenshot
Sender analysis
Content analysis
Header analysis
HTML analysis
File analysis
QR code analysis
Exif analysis
Whois
Javascript analysis
Threat intelligence
Archive analysis
YARA
Macro analysis
OLE analysis
XML analysis
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Link: Figma design deck with credential theft language | 13h ago Mar 4th, 2026 | Sublime Security | /feeds/core/detection-rules/link-figma-design-deck-with-credential-theft-language-87601924 | |
Brand Impersonation: Disney | 17h ago Mar 4th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-disney-bf90b8fb | |
Service abuse: DocSend share from an unsolicited reply-to address | 18h ago Mar 4th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-docsend-share-from-an-unsolicited-reply-to-address-b377e64c | |
Link: Apple App Store link to apps impersonating AI adveristing | 20h ago Mar 4th, 2026 | Sublime Security | /feeds/core/detection-rules/link-apple-app-store-link-to-apps-impersonating-ai-adveristing-19b556e6 | |
Attachment: PDF with recipient email in link | 2d ago Mar 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f | |
Link: Google Forms link with credential theft language | 3d ago Mar 2nd, 2026 | Sublime Security | /feeds/core/detection-rules/link-google-forms-link-with-credential-theft-language-0cad40e2 | |
Fake warning banner using confusable characters | 3d ago Mar 2nd, 2026 | Sublime Security | /feeds/core/detection-rules/fake-warning-banner-using-confusable-characters-179ee1ff | |
Attachment: PDF with a suspicious string and single URL | 3d ago Mar 2nd, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-pdf-with-a-suspicious-string-and-single-url-3bdbb7ad | |
Brand impersonation: Chase Bank | 3d ago Mar 2nd, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-chase-bank-c680f1e7 | |
Attachment: Finance themed PDF with observed phishing template | 3d ago Mar 2nd, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-finance-themed-pdf-with-observed-phishing-template-c936f7cc | |
Link: SharePoint OneNote or PDF link with self sender behavior | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/link-sharepoint-onenote-or-pdf-link-with-self-sender-behavior-588e7203 | |
Link: Multistage landing - ClickUp abuse | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-clickup-abuse-78a5d035 | |
Attachment: PDF with suspicious link and action-oriented language | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-pdf-with-suspicious-link-and-action-oriented-language-816d33a0 | |
Brand impersonation: Zoom via HTML styling | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-zoom-via-html-styling-b717920d | |
Attachment: PDF with multistage landing - ClickUp abuse | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-pdf-with-multistage-landing-clickup-abuse-0dc40316 | |
Attachment: PDF with ReportLab library and default metadata | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-pdf-with-reportlab-library-and-default-metadata-7094bfdd | |
Attachment: Encrypted PDF with credential theft body | 7d ago Feb 26th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Credential theft with 'safe content' deception and social engineering topics | 8d ago Feb 25th, 2026 | Sublime Security | /feeds/core/detection-rules/credential-theft-with-safe-content-deception-and-social-engineering-topics-22ceee0d | |
Link: JavaScript obfuscation with Telegram bot integration | 8d ago Feb 25th, 2026 | Sublime Security | /feeds/core/detection-rules/link-javascript-obfuscation-with-telegram-bot-integration-032a4485 | |
Brand impersonation: DocuSign | 9d ago Feb 24th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-docusign-4d29235c |
Page 1 of 25