Cybercriminals have adopted a sophisticated method to bypass traditional email security systems by leveraging Scalable Vector Graphics (SVG) files.
These files, often attached to phishing emails, are being used to target users of Gmail, Outlook, and Dropbox.
The attacks exploit the flexibility of SVG files, embedding malicious scripts and links to lure victims into providing sensitive credentials or downloading malware.
How the Attack Works
SVG files, unlike traditional image formats like JPEG or PNG, are XML-based and capable of embedding active web content such as JavaScript and HTML.
When recipients open these attachments often disguised as legitimate documents their browsers render the SVG file, displaying clickable elements that redirect them to phishing websites.
These sites mimic trusted platforms like Microsoft Office 365, Google Docs, or Dropbox, tricking users into entering their login credentials.
In some cases, the embedded links lead to CAPTCHA-protected phishing pages.
Once users pass the CAPTCHA, they are presented with realistic login forms that capture their credentials.
Advanced versions of these attacks even prefill email addresses in the login forms, making them appear more authentic.
Furthermore, some SVG files execute JavaScript that automatically redirects users to phishing sites without requiring any interaction.
The malicious SVG files are designed to evade detection by traditional antivirus and email security tools.
Their XML-based structure allows attackers to obfuscate harmful scripts within seemingly benign image content. Some variants include base64-encoded data that extracts malware upon execution.
Others embed links to remote images resembling official notifications from platforms like DocuSign or SharePoint.
Sophos researchers have also observed localized attacks targeting specific languages and regions.
For instance, phishing emails directed at Japanese users contained SVG files mimicking Dropbox login screens in Japanese.
Impact on Victims
Once credentials are stolen, they are often exfiltrated to multiple attacker-controlled domains or even transmitted via messaging platforms like Telegram.
In other cases, victims unknowingly download malware such as keyloggers or ransomware embedded within password-protected archives linked through SVG files.
The consequences extend beyond individual users, as compromised accounts can lead to broader organizational breaches.
Attackers may use stolen credentials for business email compromise (BEC) scams or further malware distribution.
To protect against these threats:
- Avoid opening unsolicited SVG file attachments unless explicitly expected.
- Configure systems to open SVG files in non-browser applications like Notepad.
- Verify URLs in browser address bars for authenticity; malicious sites often use unfamiliar domains.
- Implement robust email security solutions capable of detecting obfuscated scripts in attachments.
- Conduct regular security awareness training for employees to recognize phishing attempts.
Security researchers have developed detection signatures for these weaponized SVG files, but vigilance remains critical as attackers continue refining their tactics.
