Detection Method: Exif analysis

Exif analysis looks at embedded metadata in files to uncover suspicious details that could indicate malicious activity. By extracting and analyzing Exif data from images, documents, PDFs, and other attachments, this method can help spot hidden threats that would normally go undetected.
Exif analysis can detect:
  • Document timestamps that don’t match the claimed origin
  • Authorship info that conflicts with the sender’s identity
  • Signs of image or document manipulation
  • Suspicious tools used to create the file
  • Geographical data that’s inconsistent with the expected origin
For example, a phishing email claiming to be an invoice might have metadata showing it was created with unauthorized tools, edited recently, or authored by someone outside the company it’s pretending to be from.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Encrypted PDF with credential theft language in EML
3d ago
Jul 13th, 2026
Sublime Security
Attachment: Suspicious PDF created with headless browser
15d ago
Jul 1st, 2026
Sublime Security
Attachment: PDF with localhost IP in EXIF title metadata
17d ago
Jun 29th, 2026
Sublime Security
Attachment: Invoice and W-9 PDFs with suspicious creators
20d ago
Jun 26th, 2026
Sublime Security
Attachment: PDF with a suspicious string and single URL
29d ago
Jun 17th, 2026
Sublime Security
Attachment: Encrypted PDF with credential theft body
29d ago
Jun 17th, 2026
Sublime Security
Link: Credential harvesting with excess padding evasion
1mo ago
Jun 15th, 2026
Sublime Security
Attachment: JPEG with gd-jpeg creator and suspicious file name
1mo ago
Jun 12th, 2026
Sublime Security
Attachment: MS OOXML file created by Administrator with zero edit time
1mo ago
Jun 12th, 2026
Sublime Security
Attachment: PDF with self-service platform links with self sender or blank recipients
1mo ago
Jun 10th, 2026
Sublime Security
Attachment: Canva PDF with susupicious author metadata
1mo ago
Jun 5th, 2026
Sublime Security
Attachment: Callback phishing solicitation via pdf file
1mo ago
Jun 5th, 2026
Sublime Security
Attachment: PDF Attachment with links to workers.dev
1mo ago
Jun 4th, 2026
Sublime Security
Attachment: PDF with specific author metadata
1mo ago
Jun 1st, 2026
Sublime Security
Attachment: Compensation-themed DOCX with QR code credential theft
1mo ago
May 29th, 2026
Sublime Security
Callback phishing: AOL senders with suspicious HTML template or PDF attachment
2mo ago
May 4th, 2026
Sublime Security
Attachment: PDF with suspicious HeadlessChrome metadata
2mo ago
May 1st, 2026
Sublime Security
Attachment: Legal themed message or PDF with suspicious indicators
3mo ago
Apr 3rd, 2026
Sublime Security
Attachment: PDF bid/proposal lure with credential theft indicators
3mo ago
Mar 27th, 2026
Sublime Security
Attachment: PDF with ReportLab library and default metadata
4mo ago
Feb 27th, 2026
Sublime Security