Detection Method: File analysis

File analysis breaks down and inspects file contents, formats, and embedded elements to uncover hidden threats. This method goes beyond basic file attributes, deeply examining the inner structure of files to find potentially malicious content that looks legitimate on the surface.
File analysis helps detect:
  • Malicious macros in Office documents (Word, Excel, PowerPoint)
  • Obfuscated scripts hidden in PDFs or other document types
  • Executable code disguised in non-executable files
  • Hidden text content using encoding or steganography
  • Suspicious metadata or file properties suggesting tampering
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Attack Types (6):
BEC/Fraud
Credential Phishing
Callback Phishing
Malware/Ransomware
Extortion
Spam
Tactics & Techniques (24):
Free email provider
Out of band pivot
Impersonation: Brand
PDF
Social engineering
Evasion
Encryption
Free file host
Image as content
HTML smuggling
Scripting
Free subdomain host
IPFS
QR code
Spoofing
LNK
Open redirect
Lookalike domain
Macros
Exploit
OneNote
Impersonation: Employee
Impersonation: VIP
ISO
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
3h ago
Nov 12th, 2025
Sublime Security
BEC/Fraud
Free email provider
Out of band pivot
Content analysis
File analysis
Natural Language Understanding
/feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151
Attachment: PDF with Microsoft Purview message impersonation
2d ago
Nov 10th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
PDF
Social engineering
File analysis
Natural Language Understanding
Content analysis
/feeds/core/detection-rules/attachment-pdf-with-microsoft-purview-message-impersonation-571d4964
Callback phishing in body or attachment (untrusted sender)
4d ago
Nov 8th, 2025
Sublime Security
Callback Phishing
Out of band pivot
Social engineering
Content analysis
File analysis
Optical Character Recognition
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94
Attachment: 7z Archive Containing RAR File
4d ago
Nov 8th, 2025
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
/feeds/core/detection-rules/attachment-7z-archive-containing-rar-file-1a629bb4
Attachment: Encrypted PDF with credential theft body
4d ago
Nov 8th, 2025
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Brand impersonation: Microsoft with low reputation links
4d ago
Nov 8th, 2025
Sublime Security
Credential Phishing
Free file host
Image as content
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
File analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Brand impersonation: SharePoint PDF attachment with credential theft language
5d ago
Nov 7th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
PDF
Evasion
Computer Vision
File analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
URL analysis
Header analysis
Whois
/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Attachment: ICS file with non-Gregorian calendar scale
8d ago
Nov 4th, 2025
Sublime Security
Credential Phishing
Evasion
File analysis
Content analysis
/feeds/core/detection-rules/attachment-ics-file-with-non-gregorian-calendar-scale-9315bbf5
Callback phishing via extensionless rfc822 attachment
8d ago
Nov 4th, 2025
Sublime Security
Callback Phishing
Impersonation: Brand
Social engineering
File analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/callback-phishing-via-extensionless-rfc822-attachment-197722c4
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
8d ago
Nov 4th, 2025
Sublime Security
Credential Phishing
Evasion
Social engineering
File analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7
HTML smuggling containing recipient email address
8d ago
Nov 4th, 2025
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
Scripting
Archive analysis
File analysis
Sender analysis
/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Attachment: HTML file with reference to recipient and suspicious patterns
8d ago
Nov 4th, 2025
Sublime Security
Credential Phishing
HTML smuggling
Scripting
Content analysis
File analysis
HTML analysis
Javascript analysis
YARA
/feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d
Attachment: EML with Encrypted ZIP
8d ago
Nov 4th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-eml-with-encrypted-zip-6897a8f7
Attachment: EML file contains HTML attachment with login portal indicators
8d ago
Nov 4th, 2025
Sublime Security
Credential Phishing
Evasion
HTML smuggling
Content analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Sender analysis
/feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158
Attachment: HTML smuggling with atob and high entropy
8d ago
Nov 4th, 2025
Sublime Security
Credential Phishing
Malware/Ransomware
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
HTML analysis
Javascript analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11
Attachment: EML file with IPFS links
8d ago
Nov 4th, 2025
Sublime Security
Credential Phishing
Evasion
Free file host
Free subdomain host
IPFS
File analysis
URL analysis
/feeds/core/detection-rules/attachment-eml-file-with-ipfs-links-1fe9d7e7
Attachment: Any HTML file (unsolicited)
9d ago
Nov 3rd, 2025
Sublime Security
HTML smuggling
File analysis
HTML analysis
Sender analysis
/feeds/core/detection-rules/attachment-any-html-file-unsolicited-ef36763f
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
9d ago
Nov 3rd, 2025
Sublime Security
Malware/Ransomware
Credential Phishing
HTML smuggling
Scripting
Evasion
HTML analysis
File analysis
Content analysis
/feeds/core/detection-rules/attachment-html-file-with-excessive-const-declarations-and-abnormally-long-timeouts-66f8a07a
Attachment: Compensation review lure with QR code
14d ago
Oct 29th, 2025
Sublime Security
Credential Phishing
PDF
QR code
Social engineering
File analysis
Optical Character Recognition
QR code analysis
Natural Language Understanding
Sender analysis
Header analysis
/feeds/core/detection-rules/attachment-compensation-review-lure-with-qr-code-9fd8185c
Attachment: Suspicious employee policy update document lure
14d ago
Oct 29th, 2025
Sublime Security
Credential Phishing
PDF
Social engineering
Evasion
Content analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1
Page 1 of 11