Evasion

Tactic or Technique: Evasion

Evasion techniques help attackers sneak past email security filters by hiding or disguising malicious content. These tactics are designed to fool both traditional scanners and newer AI-based systems by changing how the message is structured or displayed.

You might see phishing content buried under blocks of harmless-looking text, or important details shown as images so they can't be scanned. Some messages break up keywords using hidden HTML or use misspelled words and lookalike characters to trick you into missing the signs.

More advanced versions use JavaScript that reveals the payload only after the message has passed through security checks. Others try to confuse AI systems with prompt injection or strange formatting.

These techniques create gaps in protection and give attackers a better chance of reaching your inbox. Spotting them early is key. The more familiar you are with how these tricks work, the easier it is to catch them before they do damage.

Blog Posts

Hiding a $50,000 BEC financial fraud in a fake email thread

Callback phishing via invoice abuse and distribution list relays

Hidden credential phishing within EML attachments

Living Off the Land: Credential Phishing via Docusign abuse

Living Off the Land: Callback Phishing via Docusign comment

Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques

Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

Attack Types (4):

Detection Methods (11):

Content analysis

Header analysis

Natural Language Understanding

URL analysis

Computer Vision

Optical Character Recognition

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Xero Infrastructure Abuse	6h ago May 23rd, 2025	Sublime Security	Credential Phishing Evasion Social engineering Content analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/xero-infrastructure-abuse-918c4bd3
Link: Direct Link to keap.app contact-us page	6h ago May 23rd, 2025	Sublime Security	Credential Phishing Malware/Ransomware Free file host Evasion URL analysis	/feeds/core/detection-rules/link-direct-link-to-keapapp-contact-us-page-a7a69267
Callback phishing via Intuit service abuse	2d ago May 21st, 2025	Sublime Security	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294
Canva Design With Suspicious Embedded Link	7d ago May 16th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Free file host HTML analysis URL analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22
Link: Multistage Landing - Scribd Document	7d ago May 16th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Impersonation: Brand Free file host URL analysis HTML analysis Natural Language Understanding Computer Vision Optical Character Recognition URL screenshot	/feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d
EML attachment with credential theft language (unknown sender)	7d ago May 16th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Natural Language Understanding Sender analysis Content analysis Header analysis	/feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1
Brand Impersonation: Zoom	8d ago May 15th, 2025	Sublime Security	Credential Phishing Impersonation: Brand Social engineering Evasion Computer Vision Content analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/brand-impersonation-zoom-5abad540
Vendor Compromise: GovDelivery Message With Suspicious Link	8d ago May 15th, 2025	Sublime Security	Credential Phishing Malware/Ransomware Free subdomain host IPFS Social engineering Evasion Impersonation: Brand Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172
Link: Multistage Landing - Ludus Presentation	9d ago May 14th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Impersonation: Brand Header analysis URL analysis Computer Vision URL screenshot Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311
Link: Scribd Fullscreen Link From Suspicious Sender	9d ago May 14th, 2025	Sublime Security	Credential Phishing Free file host Social engineering Evasion URL analysis Sender analysis	/feeds/core/detection-rules/link-scribd-fullscreen-link-from-suspicious-sender-9e9bc972
Request for Quote or Purchase (RFQ\|RFP) with suspicious sender or recipient pattern	9d ago May 14th, 2025	Sublime Security	BEC/Fraud Evasion Free email provider Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329
Salesforce Infrastructure Abuse	14d ago May 9th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Content analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70
Link: Display Text Matches Subject Line	14d ago May 9th, 2025	Sublime Security	BEC/Fraud Credential Phishing Social engineering Evasion Header analysis Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0
Link: Figma Design Deck With Credential Phishing Language	16d ago May 7th, 2025	Sublime Security	Credential Phishing Evasion Free file host Social engineering Natural Language Understanding Computer Vision Optical Character Recognition URL analysis URL screenshot Sender analysis	/feeds/core/detection-rules/link-figma-design-deck-with-credential-phishing-language-87601924
HR Impersonation via E-sign Agreement Comment	18d ago May 5th, 2025	Sublime Security	BEC/Fraud Credential Phishing Evasion Impersonation: Brand Out of band pivot Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f
Link: Multistage Landing - Abused Google Drive	18d ago May 5th, 2025	Sublime Security	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4
Issuu Document With Suspicious Embedded Link	18d ago May 5th, 2025	Sublime Security	Credential Phishing Social engineering Free file host Evasion URL analysis URL screenshot Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d
Link: ScreenConnect Installer With Suspicious Relay Domain	21d ago May 2nd, 2025	Sublime Security	Malware/Ransomware Evasion Out of band pivot Social engineering URL analysis File analysis Content analysis	/feeds/core/detection-rules/link-screenconnect-installer-with-suspicious-relay-domain-37d21eef
Link: Direct Link to gamma.app Presentation in Present Mode	23d ago Apr 30th, 2025	Sublime Security	Credential Phishing Malware/Ransomware Free file host Evasion URL analysis	/feeds/core/detection-rules/link-direct-link-to-gammaapp-presentation-in-present-mode-080ab581
Service Abuse: HelloSign From an Unsolicited Sender Address	23d ago Apr 30th, 2025	Sublime Security	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis	/feeds/core/detection-rules/service-abuse-hellosign-from-an-unsolicited-sender-address-68ca0753