A new wave of phishing attacks has emerged in early 2025, with cybercriminals embedding malicious HTML and JavaScript code within SVG (Scalable Vector Graphics) files to bypass traditional security filtering.
These campaigns signal a shift in attacker methodology, leveraging the unique versatility of SVG a widely accepted XML-based vector image format which, unlike traditional JPEG or PNG images, can natively host not only graphical data but also active HTML and JavaScript elements.
SVG File Attachments Signal Shift in Phishing Tactics
Typically intended for storing two-dimensional vector graphics, SVG files appear as standard images in email attachments or viewers, but their underlying XML markup, accessible via any text editor, can invisibly deliver sophisticated payloads.
Attackers are exploiting <foreignObject> tags and other HTML/JavaScript embedding features intrinsic to SVG to hide phishing links or scripts that launch credential-harvesting sites.
According to the Report, this novel approach allows SVG attachments to masquerade as harmless images while functioning as fully interactive phishing webpages when opened in a browser.
Recent phishing campaigns observed in the first quarter of 2025 illustrate this trend.
In one instance, emails closely mimicking legitimate notifications such as voice messages or e-signature requests carried SVG attachments.
While these files were classified as image types in the email headers, opening them in a text editor revealed their true nature: either a phishing landing page embedded directly within the SVG or a redirection script invoking a fraudulent external site.
One example detailed an SVG that, when rendered as HTML in the browser, presented a deceptive link purporting to offer an audio file.
Victims who clicked the link were redirected to a phishing page imitating Google Voice, complete with corporate branding and static images designed to further legitimize the scam.
The login form on this page harvested credentials under the guise of granting access to voice message content.
Campaigns Surge in Early 2025 Amid Technical Exploitation
Another documented campaign used SVG files embedded with JavaScript. Upon execution, the JavaScript launched a new browser window directing targets to a fake Microsoft login page again, engineered to capture enterprise credentials.
These attacks demonstrate not only the adaptability of SVG file misuse but also the attackers’ evolving sophistication in social engineering and technical obfuscation.
Telemetry data underscores the rapid growth of this attack vector. Security researchers tracked 2,825 phishing emails carrying SVG attachments in Q1 2025 alone.
April saw the upward trajectory continue, with 1,324 additional malicious SVG emails detected in just the first half of the month representing more than two-thirds of March’s total in just two weeks.
The emergence of SVG-based phishing marks a turning point in adversarial tactics, exploiting trusted image formats to evade email gateways and endpoint security solutions.
As awareness increases, security teams are urged to enhance attachment inspection mechanisms and educate users about the risks of seemingly benign image files.
While current iterations of these attacks remain relatively elemental, akin to HTML attachment campaigns, the flexibility of the SVG format suggests considerable potential for more complex, evasive techniques in future targeted operations.
Security professionals must remain vigilant as threat actors continue to diversify their attack surface, making SVG attachment exploits a growing concern in the ongoing battle against phishing.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
