Detection Method: Exif analysis

Exif analysis looks at embedded metadata in files to uncover suspicious details that could indicate malicious activity. By extracting and analyzing Exif data from images, documents, PDFs, and other attachments, this method can help spot hidden threats that would normally go undetected.
Exif analysis can detect:
  • Document timestamps that don’t match the claimed origin
  • Authorship info that conflicts with the sender’s identity
  • Signs of image or document manipulation
  • Suspicious tools used to create the file
  • Geographical data that’s inconsistent with the expected origin
For example, a phishing email claiming to be an invoice might have metadata showing it was created with unauthorized tools, edited recently, or authored by someone outside the company it’s pretending to be from.
Attack Types (6):
Credential Phishing
Malware/Ransomware
BEC/Fraud
Callback Phishing
Extortion
Spam
Tactics & Techniques (16):
PDF
Social engineering
Evasion
Encryption
Free file host
Free email provider
Out of band pivot
Free subdomain host
QR code
Impersonation: Brand
Macros
Impersonation: VIP
Scripting
Exploit
LNK
Image as content
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: PDF with a suspicious string and single URL
6d ago
Jun 17th, 2026
Sublime Security
Credential Phishing
PDF
Social engineering
Evasion
Content analysis
File analysis
URL analysis
Exif analysis
Attachment: Encrypted PDF with credential theft body
6d ago
Jun 17th, 2026
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
Link: Credential harvesting with excess padding evasion
8d ago
Jun 15th, 2026
Sublime Security
Credential Phishing
Evasion
Social engineering
Content analysis
HTML analysis
Exif analysis
URL screenshot
Attachment: JPEG with gd-jpeg creator and suspicious file name
11d ago
Jun 12th, 2026
Sublime Security
Credential Phishing
Evasion
File analysis
Exif analysis
Attachment: MS OOXML file created by Administrator with zero edit time
11d ago
Jun 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
Exif analysis
File analysis
Attachment: PDF with self-service platform links with self sender or blank recipients
13d ago
Jun 10th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Evasion
Free file host
File analysis
Exif analysis
URL analysis
Sender analysis
Attachment: Canva PDF with susupicious author metadata
18d ago
Jun 5th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Free email provider
PDF
Exif analysis
File analysis
Attachment: Callback phishing solicitation via pdf file
18d ago
Jun 5th, 2026
Sublime Security
Callback Phishing
Evasion
Free email provider
Out of band pivot
PDF
Social engineering
Exif analysis
File analysis
Optical Character Recognition
Sender analysis
Attachment: PDF Attachment with links to workers.dev
19d ago
Jun 4th, 2026
Sublime Security
Credential Phishing
PDF
Free subdomain host
Evasion
File analysis
Exif analysis
URL analysis
Attachment: PDF with specific author metadata
22d ago
Jun 1st, 2026
Sublime Security
Credential Phishing
PDF
Exif analysis
File analysis
Attachment: Compensation-themed DOCX with QR code credential theft
25d ago
May 29th, 2026
Sublime Security
Credential Phishing
QR code
Social engineering
Impersonation: Brand
File analysis
Optical Character Recognition
QR code analysis
Natural Language Understanding
Exif analysis
Content analysis
Attachment: Suspicious PDF created with headless browser
1mo ago
May 7th, 2026
Sublime Security
Credential Phishing
Evasion
PDF
Content analysis
Exif analysis
File analysis
Optical Character Recognition
Callback phishing: AOL senders with suspicious HTML template or PDF attachment
1mo ago
May 4th, 2026
Sublime Security
Callback Phishing
Free email provider
Social engineering
Content analysis
Header analysis
File analysis
HTML analysis
Exif analysis
Sender analysis
Attachment: PDF with suspicious HeadlessChrome metadata
1mo ago
May 1st, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
PDF
File analysis
Exif analysis
Attachment: Legal themed message or PDF with suspicious indicators
2mo ago
Apr 3rd, 2026
Sublime Security
Credential Phishing
Extortion
BEC/Fraud
Evasion
PDF
Social engineering
Content analysis
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
Whois
Header analysis
Exif analysis
Attachment: PDF bid/proposal lure with credential theft indicators
2mo ago
Mar 27th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Social engineering
Free file host
Free subdomain host
File analysis
Content analysis
Optical Character Recognition
Natural Language Understanding
URL analysis
Exif analysis
Attachment: PDF with ReportLab library and default metadata
3mo ago
Feb 27th, 2026
Sublime Security
Credential Phishing
PDF
Evasion
File analysis
Exif analysis
Attachment: Excel file with document sharing lure created by Go Excelize
4mo ago
Jan 29th, 2026
Sublime Security
Credential Phishing
Macros
Social engineering
File analysis
Macro analysis
Content analysis
Exif analysis
Attachment: Fake lawyer & sports agent identities
4mo ago
Jan 26th, 2026
Sublime Security
BEC/Fraud
Impersonation: VIP
Social engineering
Content analysis
Exif analysis
File analysis
Optical Character Recognition
Attachment: Password-protected PDF with fake document indicators
5mo ago
Jan 21st, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
File analysis
YARA
Exif analysis
Page 1 of 2