Detection Method: File analysis

File analysis breaks down and inspects file contents, formats, and embedded elements to uncover hidden threats. This method goes beyond basic file attributes, deeply examining the inner structure of files to find potentially malicious content that looks legitimate on the surface.

File analysis helps detect:

Malicious macros in Office documents (Word, Excel, PowerPoint)
Obfuscated scripts hidden in PDFs or other document types
Executable code disguised in non-executable files
Hidden text content using encoding or steganography
Suspicious metadata or file properties suggesting tampering

Blog Posts

Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits

Hiding a $50,000 BEC financial fraud in a fake email thread

Talking phish over turkey

Abusing Discord to deliver Agent Tesla malware

Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics

Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques

QR Code Phishing: Decoding Hidden Threats

Call Me Maybe? The Rise of Callback Phishing Emails

Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

Attack Types (6):

Tactics & Techniques (18):

Impersonation: Employee

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Brand impersonation: Sharepoint	5h ago Jun 12th, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-sharepoint-284b1b70
Attachment: Callback Phishing solicitation via pdf file	21h ago Jun 11th, 2025 UTC	Sublime Security	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Suspicious PDF Created With Headless Browser	3d ago Jun 9th, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: Legal Themed Message with PDF Containing Suspicious Link	6d ago Jun 6th, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Social engineering Content analysis File analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/attachment-legal-themed-message-with-pdf-containing-suspicious-link-19133301
Brand Impersonation: PayPal	8d ago Jun 4th, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-paypal-a6b2ceee
Encrypted Microsoft Office Files From Untrusted Senders	8d ago Jun 4th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-senders-eb7b26e7
Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment	9d ago Jun 3rd, 2025 UTC	Sublime Security	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed
Attachment: HTML smuggling with eval and atob via calendar invite	9d ago Jun 3rd, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd
Attachment: HTML smuggling with atob and high entropy via calendar invite	9d ago Jun 3rd, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-via-calendar-invite-94d84614
Attachment: EML with Suspicious Indicators	10d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis	/feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d
Suspicious attachment with unscannable Cloudflare link	10d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Social engineering Impersonation: Employee Impersonation: VIP File analysis URL analysis Sender analysis Content analysis Header analysis Natural Language Understanding	/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
Extortion / Sextortion in Attachment From Untrusted Sender	10d ago Jun 2nd, 2025 UTC	Sublime Security	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c
Attachment: Embedded Javascript in SVG file	10d ago Jun 2nd, 2025 UTC	Sublime Security	Malware/Ransomware Scripting Archive analysis File analysis Sender analysis XML analysis	/feeds/core/detection-rules/attachment-embedded-javascript-in-svg-file-f70293bc
Attachment: Fake attachment image lure	13d ago May 30th, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
Brand impersonation: Dropbox	15d ago May 28th, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Attachment: USDA Bid Invitation Impersonation	20d ago May 23rd, 2025 UTC	Sublime Security	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Open redirect: typedrawers.com	20d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Evasion Open redirect QR code Social engineering Content analysis File analysis QR code analysis Sender analysis	/feeds/core/detection-rules/open-redirect-typedrawerscom-158d9e95
Brand impersonation: Amazon with suspicious attachment	29d ago May 14th, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9
Brand impersonation: Microsoft with low reputation links	1mo ago May 7th, 2025 UTC	Sublime Security	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Link: Direct POWR.io Form Builder with Suspicious Patterns	1mo ago May 5th, 2025 UTC	Sublime Security	Credential Phishing Callback Phishing Social engineering File analysis URL analysis Content analysis	/feeds/core/detection-rules/link-direct-powrio-form-builder-with-suspicious-patterns-fd37cc93

Attack Types

Tactics and Techniques

Detection Methods

Detection Method: File analysis