Phishing continues to be a formidable threat vector in 2025, with attackers adopting increasingly sophisticated methods to slip past conventional security controls.
The latest analyses by Intezer Labs highlight a surge in phishing operations leveraging non-traditional file formats including SVG images, PDF annotations, cloud storage links, and embedded file architectures to bypass email gateways and endpoint scanning.
SVG Files as a Stealthy Attack Vector
A notable trend is the abuse of Scalable Vector Graphics (SVG) files as delivery vehicles for malicious scripts.
SVG, an XML-based format for rendering two-dimensional vector graphics on the web, supports embedded scripts and hyperlinks, presenting a unique opportunity for attackers.
The current wave of attacks sees threat actors embedding Base64-encoded, obfuscated JavaScript payloads within SVG files, which are then distributed as seemingly benign email attachments.
Upon decoding, the concealed payload dynamically reconstructs a phishing URL and redirects victims via window.location.href to credential-harvesting sites.
The obfuscation strategy involves multiple layers string reversal, insertion and subsequent removal of junk characters, and hexadecimal-to-ASCII conversion to evade static detection from signature-based or pattern-matching engines.
Such techniques are particularly challenging for security tools that lack deep content inspection for file formats not traditionally associated with executable threats.
In documented cases, these malicious SVGs sailed through security filters undetected, with scans on platforms like VirusTotal initially yielding zero detections.
PDF Annotations and Cloud File Links: New Avenues for Phishing
Similarly, attackers have turned to PDF files, embedding malicious URLs within annotation objects located in the document’s metadata rather than visible content.
These annotation-embedded links exploit the complex internal structure of PDFs and evade recognition by tools geared toward surface-level text or typical link placements.
The result is a phishing message that’s invisible during standard document viewing and eludes most traditional scanners, yet remains just as potent when accessed in supporting viewers.
Cloud storage platforms, notably OneDrive, are also susceptible. Attackers send read-only OneDrive links containing embedded scripts that generate phishing URLs at runtime, making them absent from the static Document Object Model (DOM).
These dynamically invoked URLs evade link extraction techniques and are only observable through real-time JavaScript execution further challenging conventional static or pattern-based security solutions.
Phishing actors are embedding MHT (MIME HTML) files within OpenXML-based Office documents (.docx).
MHT files, capable of archiving entire web pages including images, links, and scripts, can convey QR codes harboring phishing URLs.
Analysis revealed instances where social engineering was amplified using branded imagery, urgency cues, and embedded QR codes, making it even more difficult for scanning engines and end-users to recognize the threat.
These methodical layering and the use of nested containers highlight a shift towards evasive techniques that exploit trust and format complexity a trend that static, rules-based detection methods are ill-suited to address.
The ongoing evolution of phishing tactics illustrates a deliberate move away from easily detectable payloads toward obfuscation, structural abuse, and runtime invocation.
Encoded JavaScript in SVG graphics, hidden URLs in PDF annotation metadata, dynamic cloud-hosted links, and deeply nested container files all bypass common detection, underscoring the urgent need for security teams to adopt deep, format-aware, and context-driven inspection techniques.
Only with advanced tooling and continuous research can defenders keep pace with these adaptive threat actors.
Indicators of Compromise (IOC)
| File/Link | Type | Details | VirusTotal Link |
|---|---|---|---|
| b5a7406d5b4ef47a62b8dd1e4bec7f1812162433955e3a5b750cc471cbfad93e | SVG file hash | Base64 JavaScript payload embedded in SVG, redirects to phishing site | Link |
| 252422de154885806f491d602af3bb2eda10563308c65fa5ba8272a9b59f7f41 | PDF file hash | PDF annotation object holds hidden phishing URL | Link |
| https://1drv[.]ms/o/c/1ba8fd2bd98c98a8/EqF44YiGOwBIpBplYeDLr_8BcMUtVTMm6dwmUK9E0dXA_A?e=ZrI61x | Cloud link | OneDrive read-only file with JavaScript generating phishing URL at runtime | Link |
| https://login.rocklongdays[.]shop/NXayublq | Phishing URL | Targeted endpoint for credential harvesting via redirected OneDrive link | Link |
| 07565bc74159ddbebb8dadbd6f20871f4236883653dc7fdd1d30ecd0460167e5 | DOCX file hash | .docx with embedded MHT containing QR code leading to phishing page | Link |
| https://elitesglassandmetal[.]com/NXttfWmEqWJrJQ | Phishing URL | QR code leads here; domain impersonates Microsoft/Rolex for credential harvesting | Link |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
