Tactic or Technique: Encryption

Attackers use encryption to hide malicious content, avoid detection, and control when and how their payloads are delivered. By encrypting files or obfuscating code, they can slip past email security tools that scan attachments and message content for known threats.
You might receive a password-protected ZIP or PDF that contains malware or a phishing link. Some attacks use encrypted HTML files that only show a fake login page after they're opened. Others use base64 or similar encoding to hide malicious code inside files that look harmless at first glance.
In many cases, the password to unlock the file is included in the email, sent in a follow-up message, or shared over another channel. Some attackers also encrypt stolen data before sending it out to avoid detection on the way out.
This tactic gives attackers more control and makes it harder for you—and your security tools—to see what’s really happening. It's often used in the early stages of malware delivery, data theft, or ransomware attacks.
Attack Types (6):
Credential Phishing
Malware/Ransomware
BEC/Fraud
Callback Phishing
Extortion
Spam
Detection Methods (13):
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
Archive analysis
YARA
QR code analysis
URL analysis
Optical Character Recognition
OLE analysis
HTML analysis
Javascript analysis
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Encrypted PDF with credential theft body
4d ago
Nov 8th, 2025
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: EML with Encrypted ZIP
8d ago
Nov 4th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-eml-with-encrypted-zip-6897a8f7
Attachment: PDF with recipient email in link
1mo ago
Oct 10th, 2025
Sublime Security
Credential Phishing
PDF
QR code
Encryption
Social engineering
File analysis
QR code analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f
Attachment: Base64 encoded bash command in filename
2mo ago
Sep 5th, 2025
@vector_sec
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Content analysis
/feeds/core/detection-rules/attachment-base64-encoded-bash-command-in-filename-819f69c8
Encrypted Microsoft Office files from untrusted sender
3mo ago
Aug 5th, 2025
Sublime Security
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Spam
Encryption
Evasion
File analysis
YARA
Sender analysis
/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-sender-eb7b26e7
Link to auto-download of a suspicious file type (unsolicited)
3mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Adobe branded PDF file linking to a password-protected file from untrusted sender
3mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Impersonation: Brand
PDF
Archive analysis
File analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469
Link to auto-downloaded DMG in encrypted zip
3mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Attachment with unscannable encrypted zip (unsolicited)
3mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Sender analysis
YARA
/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Link to auto-downloaded disk image in encrypted zip
3mo ago
Jul 16th, 2025
@ajpc500
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Attachment: Encrypted Microsoft Office file (unsolicited)
3mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Macros
Scripting
Archive analysis
File analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment with encrypted zip (unsolicited)
3mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Evasion
Encryption
Archive analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae
Attachment: HTML smuggling with excessive line break obfuscation
2y ago
Sep 8th, 2023
Sublime Security
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
HTML analysis
Javascript analysis
/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440
Attachment: HTML smuggling with ROT13
2y ago
Aug 21st, 2023
@Kyle_Parrish_
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
Javascript analysis
HTML analysis
/feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf
Attachment: HTML smuggling with RC4 decryption
2y ago
Aug 21st, 2023
Sublime Security
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
HTML analysis
Javascript analysis
/feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765