Attachment: JPEG with gd-jpeg creator and suspicious file name

calendar Jun 12, 2026  ·
Share on: linkedin copy

Detects inbound messages containing a single JPEG attachment with specific filename patterns and EXIF metadata indicating creation by gd-jpeg v1.0. This has been observed being used to produce company logos used within phishing messages.

Sublime rule (View on GitHub)

 1name: "Attachment: JPEG with gd-jpeg creator and suspicious file name"
 2description: "Detects inbound messages containing a single JPEG attachment with specific filename patterns and EXIF metadata indicating creation by gd-jpeg v1.0. This has been observed being used to produce company logos used within phishing messages."
 3type: "rule"
 4severity: "high"
 5source: |
 6    type.inbound
 7    and length(filter(attachments, .file_type == "jpg")) == 1
 8    and any(attachments,
 9            .file_type == "jpg"
10            and .file_extension == "jpeg"
11            and strings.icontains(.file_name, 'images')
12            and (
13              strings.count(.file_name, '/') == 1
14              or strings.count(.file_name, 'image') == 2
15            )
16            and any(beta.parse_exif(.).fields,
17                    .key =~ "Comment"
18                    and strings.istarts_with(.value, 'CREATOR: gd-jpeg v1.0')
19            )
20    )    
21  
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Evasion"
26detection_methods:
27  - "File analysis"
28  - "Exif analysis"
29id: "76870456-a2e7-5745-98e9-3d9db87da296"
to-top