What is Image-Based Phishing?

Image-Based Phishing Explained

Image-based phishing is a social engineering technique where the entire email body is delivered as an embedded image rather than rendered HTML text. Instead of writing the phishing message in a format that email clients render as selectable text, attackers compose the message in a design tool, export it as a PNG, JPEG, or GIF, and embed that image file inline. The result looks identical to a normal email from the recipient's perspective, but contains zero parseable text for security tools to analyze. MITRE ATT&CK classifies phishing under Initial Access (T1566), and image-based delivery represents one of the most effective evasion variants within that technique.

How Image-Based Phishing Works

The attack follows a consistent pattern:

• Message composition. The attacker creates a convincing email layout (brand logos, formatted text, call-to-action buttons) and exports the entire composition as a single image file. Every element that would normally be HTML, including headings, body copy, footer disclaimers, and URLs, is flattened into pixels.
• Inline embedding or remote hosting. The image is either embedded directly into the email body using Base64 encoding or hosted on a reputable domain (cloud storage, image hosting services) and referenced via an HTML tag. Remote hosting adds a layer of evasion because the email filter sees only a URL pointing to a trusted domain rather than the phishing content itself.
• Link delivery. The attacker wraps the entire image in a clickable hyperlink () so that clicking anywhere on the image redirects the victim to a credential harvesting page. In some variants, no clickable link exists at all. The image displays a URL that victims must type manually, eliminating any link for security tools to scan.
• QR code variants. A growing subset of image-based phishing embeds QR codes in a technique known as quishing within the image. This shifts the attack to mobile devices, where endpoint protection is typically weaker and users are more likely to authenticate without scrutiny.

Research analyzing 386 verified phishing emails found that "Text in Image" was the most prevalent obfuscation technique at 47%, appearing in nearly half of all phishing samples studied. The technique was significantly correlated with successful antispam evasion.

Why Image-Based Phishing Evades Traditional Filters

Conventional email security relies on multiple text-dependent analysis methods, all of which fail against image-only messages:

• Keyword and pattern matching. Filters that flag suspicious phrases ("verify your account," "payment failed," "click here immediately") find nothing to match because no text exists in the email body.
• Natural language processing. NLP models trained to detect urgency, impersonation patterns, and social engineering language cannot process pixel data.
• URL extraction and reputation checking. When the URL is rendered inside an image rather than coded as an HTML anchor, security tools cannot extract or evaluate it. The phishing link is invisible to automated scanning.
• Sender-content correlation. Filters that compare the sender domain against the email content for consistency (for example, flagging a message that claims to be from a bank but originates from a freemail address) cannot perform this analysis without parseable body text.

These gaps explain why image-based phishing has become a preferred evasion method, particularly when combined with impersonation techniques to strengthen the social engineering pretext.

Image-Based Phishing Detection from IRONSCALES

IRONSCALES uses computer vision and OCR to analyze image content within emails, extracting embedded text, identifying brand logos, and detecting QR codes that text-based scanners cannot parse.

Related Terms

• Phishing
• Computer Vision
• OCR and Deep Learning
• Quishing
• Impersonation