Image as content

Tactic or Technique: Image as content

Phishing attacks sometimes use images instead of text to hide their intent and evade detection. This technique, often called “image as content,” involves embedding fake login prompts, alerts, or messages inside graphics that look legitimate but can’t be scanned by traditional text-based filters.

These images often appear polished and professional, using logos and layouts that mimic real companies. In many cases, the image itself is clickable and leads you to a phishing site. With little or no surrounding text, the message is more likely to slip through security scans and still look convincing.

This tactic works because visuals feel trustworthy. A branded banner or alert can seem more legitimate than a plain-text email. That’s why defending against it is harder. Traditional filters struggle to analyze image content, so stopping these attacks often requires a combination of advanced image scanning and the ability to recognize visual red flags—not just suspicious text.

Blog Posts

QR Code Phishing: Decoding Hidden Threats

Call Me Maybe? The Rise of Callback Phishing Emails

Attack Types (4):

Detection Methods (12):

Computer Vision

Content analysis

Optical Character Recognition

Sender analysis

URL analysis

File analysis

Natural Language Understanding

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Brand Impersonation: Fake Fax	16d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Attachment: Fake attachment image lure	19d ago May 30th, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
Attachment: Adobe image lure in body or attachment with suspicious link	1mo ago May 16th, 2025 UTC	Sublime Security	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81
Brand impersonation: Microsoft with low reputation links	1mo ago May 7th, 2025 UTC	Sublime Security	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Attachment: QR Code Link With Base64-Encoded Recipient Address	2mo ago Mar 27th, 2025 UTC	Sublime Security	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: Callback Phishing solicitation via image file	3mo ago Mar 12th, 2025 UTC	@vector_sec	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36
Spam: Image as content with Hidden HTML Element	3mo ago Mar 3rd, 2025 UTC	Sublime Security	Spam Evasion Image as content Content analysis HTML analysis Sender analysis	/feeds/core/detection-rules/spam-image-as-content-with-hidden-html-element-5de8861f
Attachment: SVG Files With Evasion Elements	3mo ago Feb 21st, 2025 UTC	Sublime Security	Malware/Ransomware Credential Phishing QR code Image as content Evasion File analysis XML analysis QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-svg-files-with-evasion-elements-5d2dbb60
Attachment: QR Code With Userinfo Portion	3mo ago Feb 21st, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Spam: Item Giveaway Spam Template	5mo ago Jan 8th, 2025 UTC	Sublime Security	Spam Image as content Content analysis HTML analysis Sender analysis Exif analysis	/feeds/core/detection-rules/spam-item-giveaway-spam-template-06a5f93b
Brand impersonation: USPS	6mo ago Dec 16th, 2024 UTC	Sublime Security	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-usps-28b9130a
Attachment: Fake scan-to-email	7mo ago Oct 28th, 2024 UTC	Sublime Security	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1
Brand Impersonation: Microsoft Planner With Suspicious Link	8mo ago Oct 9th, 2024 UTC	Sublime Security	Credential Phishing Evasion Image as content Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08
Attachment: Fake secure message and suspicious indicators	9mo ago Sep 16th, 2024 UTC	Sublime Security	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94
Brand Impersonation: DocuSign with embedded QR code	1y ago May 2nd, 2024 UTC	Sublime Security	Credential Phishing Evasion Image as content Impersonation: Brand QR code Computer Vision Content analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-docusign-with-embedded-qr-code-f5cde463
Attachment: Microsoft impersonation via PDF with link and suspicious language	1y ago May 2nd, 2024 UTC	Sublime Security	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Credential Phishing: Hyper-linked image leading to free file host	1y ago May 2nd, 2024 UTC	Sublime Security	Credential Phishing Evasion Free file host Image as content Social engineering Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/credential-phishing-hyper-linked-image-leading-to-free-file-host-f5cb1eca
Image as content with a link to an open redirect (unsolicited)	1y ago Apr 23rd, 2024 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion Image as content Open redirect Social engineering Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b
Invoicera infrastructure abuse	1y ago Mar 7th, 2024 UTC	Sublime Security	Credential Phishing Spam Free file host Free subdomain host Image as content Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/invoicera-infrastructure-abuse-1e56f310
Spam: BlackBaud infrastructure abuse	1y ago Jan 17th, 2024 UTC	Sublime Security	Spam Evasion Impersonation: Brand Image as content Social engineering Content analysis Header analysis	/feeds/core/detection-rules/spam-blackbaud-infrastructure-abuse-3db46591