Tactic or Technique: Encryption

Attackers use encryption to hide malicious content, avoid detection, and control when and how their payloads are delivered. By encrypting files or obfuscating code, they can slip past email security tools that scan attachments and message content for known threats.
You might receive a password-protected ZIP or PDF that contains malware or a phishing link. Some attacks use encrypted HTML files that only show a fake login page after they're opened. Others use base64 or similar encoding to hide malicious code inside files that look harmless at first glance.
In many cases, the password to unlock the file is included in the email, sent in a follow-up message, or shared over another channel. Some attackers also encrypt stolen data before sending it out to avoid detection on the way out.
This tactic gives attackers more control and makes it harder for you—and your security tools—to see what’s really happening. It's often used in the early stages of malware delivery, data theft, or ransomware attacks.
Attack Types (6):
Credential Phishing
Malware/Ransomware
BEC/Fraud
Callback Phishing
Extortion
Spam
Detection Methods (14):
File analysis
QR code analysis
URL analysis
Content analysis
Exif analysis
Natural Language Understanding
Sender analysis
YARA
Archive analysis
OLE analysis
HTML analysis
Javascript analysis
Header analysis
Optical Character Recognition
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: PDF with recipient email in link
2d ago
Mar 3rd, 2026
Sublime Security
Credential Phishing
PDF
QR code
Encryption
Social engineering
File analysis
QR code analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f
Attachment: Encrypted PDF with credential theft body
7d ago
Feb 26th, 2026
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: PDF with password in filename matching body text
14d ago
Feb 19th, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
Content analysis
File analysis
/feeds/core/detection-rules/attachment-pdf-with-password-in-filename-matching-body-text-2c9c3b24
Attachment: Password-protected PDF with fake document indicators
1mo ago
Jan 21st, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
File analysis
YARA
Exif analysis
/feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440
Link: Excessive URL rewrite encoders
1mo ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Encryption
Evasion
URL analysis
Content analysis
/feeds/core/detection-rules/link-excessive-url-rewrite-encoders-b88e53a7
Attachment: EML with Encrypted ZIP
1mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-eml-with-encrypted-zip-6897a8f7
Link to auto-download of a suspicious file type (unsolicited)
1mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Attachment: Encrypted Microsoft Office file (unsolicited)
1mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Macros
Scripting
Archive analysis
File analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment: HTML smuggling with excessive line break obfuscation
1mo ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
HTML analysis
Javascript analysis
/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440
Attachment: HTML smuggling with RC4 decryption
1mo ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
HTML analysis
Javascript analysis
/feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765
Link to auto-downloaded disk image in encrypted zip
1mo ago
Jan 12th, 2026
@ajpc500
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Attachment: HTML smuggling with ROT13
1mo ago
Jan 12th, 2026
@Kyle_Parrish_
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
Javascript analysis
HTML analysis
/feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf
Link: Base64 encoded recipient address in URL fragment with subject hash
1mo ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Encryption
Evasion
Social engineering
Content analysis
URL analysis
Header analysis
/feeds/core/detection-rules/link-base64-encoded-recipient-address-in-url-fragment-with-subject-hash-eb9694b8
Attachment: Encrypted zip file with payment-related lure
3mo ago
Nov 25th, 2025
Sublime Security
BEC/Fraud
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
Content analysis
File analysis
/feeds/core/detection-rules/attachment-encrypted-zip-file-with-payment-related-lure-5d1eb7af
Attachment: Base64 encoded bash command in filename
6mo ago
Sep 5th, 2025
@vector_sec
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Content analysis
/feeds/core/detection-rules/attachment-base64-encoded-bash-command-in-filename-819f69c8
Encrypted Microsoft Office files from untrusted sender
7mo ago
Aug 5th, 2025
Sublime Security
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Spam
Encryption
Evasion
File analysis
YARA
Sender analysis
/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-sender-eb7b26e7
Adobe branded PDF file linking to a password-protected file from untrusted sender
7mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Impersonation: Brand
PDF
Archive analysis
File analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469
Link to auto-downloaded DMG in encrypted zip
7mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Attachment with encrypted zip (unsolicited)
7mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Evasion
Encryption
Archive analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae
Attachment with unscannable encrypted zip (unsolicited)
7mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Sender analysis
YARA
/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a