Tactic or Technique: Evasion

Evasion techniques help attackers sneak past email security filters by hiding or disguising malicious content. These tactics are designed to fool both traditional scanners and newer AI-based systems by changing how the message is structured or displayed.

You might see phishing content buried under blocks of harmless-looking text, or important details shown as images so they can't be scanned. Some messages break up keywords using hidden HTML or use misspelled words and lookalike characters to trick you into missing the signs.

More advanced versions use JavaScript that reveals the payload only after the message has passed through security checks. Others try to confuse AI systems with prompt injection or strange formatting.

These techniques create gaps in protection and give attackers a better chance of reaching your inbox. Spotting them early is key. The more familiar you are with how these tricks work, the easier it is to catch them before they do damage.

Blog Posts

Hiding a $50,000 BEC financial fraud in a fake email thread

Callback phishing via invoice abuse and distribution list relays

Hidden credential phishing within EML attachments

Living Off the Land: Credential Phishing via Docusign abuse

Living Off the Land: Callback Phishing via Docusign comment

Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques

Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

Attack Types (6):

Detection Methods (15):

Exif analysis

File analysis

Optical Character Recognition

Sender analysis

Archive analysis

Macro analysis

Natural Language Understanding

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Attachment: Callback Phishing solicitation via pdf file	3h ago Jun 18th, 2025 UTC	Sublime Security	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Macro Files Containing MHT Content	6d ago Jun 12th, 2025 UTC	Sublime Security	Malware/Ransomware Credential Phishing Evasion Macros Scripting Archive analysis File analysis Macro analysis	/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
EML attachment with credential theft language (unknown sender)	6d ago Jun 12th, 2025 UTC	Sublime Security	Credential Phishing Evasion Social engineering Natural Language Understanding Sender analysis Content analysis Header analysis	/feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1
Suspicious message with unscannable Vercel link	8d ago Jun 10th, 2025 UTC	Sublime Security	Credential Phishing Evasion Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/suspicious-message-with-unscannable-vercel-link-b5acffe7
Link: Secure SharePoint file share from new or unusual sender	8d ago Jun 10th, 2025 UTC	Sublime Security	Credential Phishing Free file host Evasion Content analysis Sender analysis	/feeds/core/detection-rules/link-secure-sharepoint-file-share-from-new-or-unusual-sender-74ed3020
Attachment: Suspicious PDF Created With Headless Browser	9d ago Jun 9th, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: Legal Themed Message with PDF Containing Suspicious Link	12d ago Jun 6th, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Social engineering Content analysis File analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/attachment-legal-themed-message-with-pdf-containing-suspicious-link-19133301
Vendor Compromise: GovDelivery Message With Suspicious Link	14d ago Jun 4th, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Free subdomain host IPFS Social engineering Evasion Impersonation: Brand Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172
Encrypted Microsoft Office Files From Untrusted Senders	14d ago Jun 4th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-senders-eb7b26e7
Malformed URL prefix	15d ago Jun 3rd, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion URL analysis	/feeds/core/detection-rules/malformed-url-prefix-4e659d28
Attachment: HTML smuggling with atob and high entropy via calendar invite	15d ago Jun 3rd, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-via-calendar-invite-94d84614
Attachment: HTML smuggling with eval and atob via calendar invite	15d ago Jun 3rd, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd
Attachment: EML with Suspicious Indicators	16d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis	/feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d
Suspicious attachment with unscannable Cloudflare link	16d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Social engineering Impersonation: Employee Impersonation: VIP File analysis URL analysis Sender analysis Content analysis Header analysis Natural Language Understanding	/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
Attachment: Fake attachment image lure	19d ago May 30th, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
Open redirect: typedrawers.com	26d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Evasion Open redirect QR code Social engineering Content analysis File analysis QR code analysis Sender analysis	/feeds/core/detection-rules/open-redirect-typedrawerscom-158d9e95
Open Redirect: Xfinity CMP Redirection to Google AMP	26d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Open redirect Evasion Header analysis URL analysis Sender analysis	/feeds/core/detection-rules/open-redirect-xfinity-cmp-redirection-to-google-amp-c0805b80
Open redirect: next2.io	26d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Evasion Open redirect Social engineering Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/open-redirect-next2io-5085c422
Open redirect: slubnaglowie.pl	26d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Evasion Open redirect Social engineering Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/open-redirect-slubnaglowiepl-2ec356d0
Service Abuse: Zoom Docs From an Unsolicited Sender Address	26d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis	/feeds/core/detection-rules/service-abuse-zoom-docs-from-an-unsolicited-sender-address-064b2594

Attack Types

Tactics and Techniques

Detection Methods

Tactic or Technique: Evasion