New Phishing Campaign Exploits SVG Attachments to Evade Filters

The Phishing threat vector has shifted toward the use of Scalable Vector Graphics (SVG) files to circumvent modern email security perimeters. According to SANS ISC, there has been a notable influx of emails where the primary payload is an SVG attachment rather than a direct URL or a traditional document file. This TTP leverages the inherent design of the SVG format, which is an XML-based vector image format that can natively execute JavaScript or contain HTML links.

Analyzing the Surge in Phishing with SVG Files

Security analysts are observing a trend where the email body contains no suspicious links or text, often featuring only a brief instruction or a placeholder image. The actual malicious component is housed within the SVG attachment. Because these files are XML-based, they are often treated as simple images by less sophisticated filters. However, an SVG can contain a <script> tag, enabling it to perform actions when opened in a web browser—the default viewer for this file type on most modern operating systems. This technique is particularly effective because it allows attackers to hide their intent within the structure of a common image format.

The Technical Anatomy of SVG Exploitation

The primary goal of these campaigns is typically SVG-based credential harvesting. When a user opens the attachment, the embedded JavaScript can trigger a redirect to a malicious domain or render a pixel-perfect imitation of a login page (e.g., Microsoft 365 or Google Workspace). Because the content is rendered locally from the file, the initial URL seen by the user in the browser address bar may appear as a local file path (file://), which can disarm the user’s suspicion compared to a known malicious domain.

Furthermore, attackers use SVGs to bypass EDR solutions that focus on executable files or document macros. Since an SVG is essentially text-based XML, it can be obfuscated or fragmented to hide its intent from static analysis tools. For example, an attacker might encode a malicious URL in Base64 within the XML and use a small script block to decode and execute the redirect at runtime. This evasion strategy makes detecting malicious SVG attachments a significant challenge for legacy security stacks.

Detection and Mitigation Strategies

For a SOC, addressing this threat requires a combination of content inspection and behavioral monitoring. Traditional gateways that only look at file extensions must be reconfigured to inspect the internal XML structure of SVG files for tags such as <script>, <iframe>, or <a> with external href attributes.

If your organization uses a SIEM, you should monitor for unusual browser behavior originating from locally opened files. This aligns with the MITRE ATT&CK framework under technique T1204.002 (User Execution: Malicious File). Identifying an IoC in these campaigns is difficult because the malicious URLs are often rotated quickly, but the presence of scripts within an image file is a high-fidelity indicator of malicious intent.

To defend against these threats, organizations should:

• Update email filtering rules to flag or quarantine SVG attachments that contain active script tags.
• Implement browser isolation technologies that execute untrusted attachments in a sandboxed environment.
• Enhance user awareness training to specifically cover the risks of opening unexpected image attachments, even if they appear benign.
• Use content disarm and reconstruction (CDR) tools to strip active content from SVGs before they reach the endpoint.

Understanding how to analyze SVG phishing files is becoming a necessary skill for incident responders. By opening these files in a text editor rather than a browser, analysts can safely inspect the XML code for obfuscated scripts or suspicious redirects without risking infection. This proactive approach ensures that the organization remains resilient against this delivery method.