Encryption

Tactic or Technique: Encryption

Attackers use encryption to hide malicious content, avoid detection, and control when and how their payloads are delivered. By encrypting files or obfuscating code, they can slip past email security tools that scan attachments and message content for known threats.

You might receive a password-protected ZIP or PDF that contains malware or a phishing link. Some attacks use encrypted HTML files that only show a fake login page after they're opened. Others use base64 or similar encoding to hide malicious code inside files that look harmless at first glance.

In many cases, the password to unlock the file is included in the email, sent in a follow-up message, or shared over another channel. Some attackers also encrypt stolen data before sending it out to avoid detection on the way out.

This tactic gives attackers more control and makes it harder for you—and your security tools—to see what’s really happening. It's often used in the early stages of malware delivery, data theft, or ransomware attacks.

Attack Types (6):

Detection Methods (12):

Natural Language Understanding

Optical Character Recognition

OLE analysis

HTML analysis

Javascript analysis

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Encrypted Microsoft Office Files From Untrusted Senders	14d ago Jun 4th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-senders-eb7b26e7
Link to auto-download of a suspicious file type (unsolicited)	3mo ago Mar 5th, 2025 UTC	Sublime Security	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Attachment: Encrypted PDF With Credential Theft Body	8mo ago Oct 10th, 2024 UTC	Sublime Security	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Link to auto-downloaded disk image in encrypted zip	1y ago Apr 25th, 2024 UTC	@ajpc500	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Link to auto-downloaded DMG in encrypted zip	1y ago Apr 25th, 2024 UTC	Sublime Security	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Adobe branded PDF file linking to a password-protected file from untrusted sender	1y ago Feb 23rd, 2024 UTC	Sublime Security	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469
Attachment: Encrypted Microsoft Office file (unsolicited)	2y ago Dec 19th, 2023 UTC	Sublime Security	Malware/Ransomware Encryption Macros Scripting Archive analysis File analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment with encrypted zip (unsolicited)	2y ago Nov 25th, 2023 UTC	Sublime Security	Malware/Ransomware Evasion Encryption Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae
Attachment with unscannable encrypted zip (unsolicited)	2y ago Nov 1st, 2023 UTC	Sublime Security	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA	/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Attachment: HTML smuggling with excessive line break obfuscation	2y ago Sep 8th, 2023 UTC	Sublime Security	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440
Attachment: HTML smuggling with ROT13	2y ago Aug 21st, 2023 UTC	@Kyle_Parrish_	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf
Attachment: HTML smuggling with RC4 decryption	2y ago Aug 21st, 2023 UTC	Sublime Security	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765