• Exif analysis

Detection Method: Exif analysis

Exif analysis looks at embedded metadata in files to uncover suspicious details that could indicate malicious activity. By extracting and analyzing Exif data from images, documents, PDFs, and other attachments, this method can help spot hidden threats that would normally go undetected.
Exif analysis can detect:
  • Document timestamps that don’t match the claimed origin
  • Authorship info that conflicts with the sender’s identity
  • Signs of image or document manipulation
  • Suspicious tools used to create the file
  • Geographical data that’s inconsistent with the expected origin
For example, a phishing email claiming to be an invoice might have metadata showing it was created with unauthorized tools, edited recently, or authored by someone outside the company it’s pretending to be from.
Attack Types (5):
Callback Phishing
Credential Phishing
Spam
Malware/Ransomware
BEC/Fraud
Tactics & Techniques (11):
Evasion
Free email provider
Out of band pivot
PDF
Social engineering
Image as content
Encryption
Scripting
Impersonation: Brand
Exploit
LNK
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Callback Phishing solicitation via pdf file
9h ago
Jun 18th, 2025 UTC
Sublime Security
Callback Phishing
Evasion
Free email provider
Out of band pivot
PDF
Social engineering
Exif analysis
File analysis
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Suspicious PDF Created With Headless Browser
9d ago
Jun 9th, 2025 UTC
Sublime Security
Credential Phishing
Evasion
PDF
Content analysis
Exif analysis
File analysis
Optical Character Recognition
/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment
15d ago
Jun 3rd, 2025 UTC
Sublime Security
Callback Phishing
Free email provider
Social engineering
Content analysis
Header analysis
File analysis
HTML analysis
Exif analysis
Sender analysis
/feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed
Callback Phishing: Social Security Administration Fraud
3mo ago
Feb 24th, 2025 UTC
Sublime Security
Callback Phishing
Evasion
Free email provider
Out of band pivot
PDF
Social engineering
Exif analysis
File analysis
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Spam: Item Giveaway Spam Template
5mo ago
Jan 8th, 2025 UTC
Sublime Security
Spam
Image as content
Content analysis
HTML analysis
Sender analysis
Exif analysis
/feeds/core/detection-rules/spam-item-giveaway-spam-template-06a5f93b
Attachment: Encrypted PDF With Credential Theft Body
8mo ago
Oct 10th, 2024 UTC
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: Office Document with VSTO Add-in
1y ago
Jan 11th, 2024 UTC
@vector_sec
Malware/Ransomware
Scripting
Archive analysis
Content analysis
Exif analysis
File analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730
Attachment: Emotet heavily padded doc in zip file
2y ago
Oct 4th, 2023 UTC
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
Content analysis
Exif analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-emotet-heavily-padded-doc-in-zip-file-9a5332ed
Attachment: PowerPoint with suspicious hyperlink
2y ago
Aug 21st, 2023 UTC
Sublime Security
Malware/Ransomware
Evasion
Scripting
Exif analysis
File analysis
/feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1
Attachment: PDF file with Link to Fake Bitcoin Exchange
2y ago
Aug 21st, 2023 UTC
Sublime Security
BEC/Fraud
Free email provider
Impersonation: Brand
PDF
Social engineering
Exif analysis
File analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7
Attachment: LNK with embedded content
2y ago
Aug 21st, 2023 UTC
@ajpc500
Malware/Ransomware
Exploit
LNK
Scripting
Content analysis
Exif analysis
File analysis
/feeds/core/detection-rules/attachment-lnk-with-embedded-content-41452f7a