Tactic or Technique: Image as content

Phishing attacks sometimes use images instead of text to hide their intent and evade detection. This technique, often called “image as content,” involves embedding fake login prompts, alerts, or messages inside graphics that look legitimate but can’t be scanned by traditional text-based filters.
These images often appear polished and professional, using logos and layouts that mimic real companies. In many cases, the image itself is clickable and leads you to a phishing site. With little or no surrounding text, the message is more likely to slip through security scans and still look convincing.
This tactic works because visuals feel trustworthy. A branded banner or alert can seem more legitimate than a plain-text email. That’s why defending against it is harder. Traditional filters struggle to analyze image content, so stopping these attacks often requires a combination of advanced image scanning and the ability to recognize visual red flags—not just suspicious text.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Brand Impersonation: Fake Fax
15d ago
Jun 2nd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Attachment: Fake attachment image lure
18d ago
May 30th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
Attachment: Adobe image lure in body or attachment with suspicious link
1mo ago
May 16th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81
Brand impersonation: Microsoft with low reputation links
1mo ago
May 7th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Attachment: QR Code Link With Base64-Encoded Recipient Address
2mo ago
Mar 27th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: Callback Phishing solicitation via image file
3mo ago
Mar 12th, 2025 UTC
@vector_sec
/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36
Spam: Image as content with Hidden HTML Element
3mo ago
Mar 3rd, 2025 UTC
Sublime Security
/feeds/core/detection-rules/spam-image-as-content-with-hidden-html-element-5de8861f
Attachment: SVG Files With Evasion Elements
3mo ago
Feb 21st, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-svg-files-with-evasion-elements-5d2dbb60
Attachment: QR Code With Userinfo Portion
3mo ago
Feb 21st, 2025 UTC
Sublime Security
/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Spam: Item Giveaway Spam Template
5mo ago
Jan 8th, 2025 UTC
Sublime Security
/feeds/core/detection-rules/spam-item-giveaway-spam-template-06a5f93b
Brand impersonation: USPS
6mo ago
Dec 16th, 2024 UTC
Sublime Security
/feeds/core/detection-rules/brand-impersonation-usps-28b9130a
Attachment: Fake scan-to-email
7mo ago
Oct 28th, 2024 UTC
Sublime Security
/feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1
Brand Impersonation: Microsoft Planner With Suspicious Link
8mo ago
Oct 9th, 2024 UTC
Sublime Security
/feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08
Attachment: Fake secure message and suspicious indicators
9mo ago
Sep 16th, 2024 UTC
Sublime Security
/feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94
Brand Impersonation: DocuSign with embedded QR code
1y ago
May 2nd, 2024 UTC
Sublime Security
/feeds/core/detection-rules/brand-impersonation-docusign-with-embedded-qr-code-f5cde463
Attachment: Microsoft impersonation via PDF with link and suspicious language
1y ago
May 2nd, 2024 UTC
Sublime Security
/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Credential Phishing: Hyper-linked image leading to free file host
1y ago
May 2nd, 2024 UTC
Sublime Security
/feeds/core/detection-rules/credential-phishing-hyper-linked-image-leading-to-free-file-host-f5cb1eca
Image as content with a link to an open redirect (unsolicited)
1y ago
Apr 23rd, 2024 UTC
Sublime Security
/feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b
Invoicera infrastructure abuse
1y ago
Mar 7th, 2024 UTC
Sublime Security
/feeds/core/detection-rules/invoicera-infrastructure-abuse-1e56f310
Spam: BlackBaud infrastructure abuse
1y ago
Jan 17th, 2024 UTC
Sublime Security
/feeds/core/detection-rules/spam-blackbaud-infrastructure-abuse-3db46591