Imagine expecting an important document from a client and receiving an email that looks completely legitimate. The email contains an attachment in an SVG (scalable vector graphics) format. You open it, and it redirects you to a website that looks just like DocuSign, Dropbox, or SharePoint, asking for your login details. Without realising, you enter your credentials—only to later find out that your account has been hacked.
This is exactly what happened with Ashutosh (name changed), a corporate executive, while he was expecting some documents from his client. He received an email purporting to be from DocuSign, a legitimate electronic signature service, with a scalable vector graphics (SVG) attachment. When Ashutosh opened the attachment, it redirected him to a DocuSign webpage, asking him to share login credentials. However, even after sharing all the details, he could not log in. After checking with the information technology (IT) team, he learned that he had been a victim of an SVG phishing scam that is being increasingly used by cybercriminals. In the case of Ashutosh, the fraudsters created phishing pages mimicking DocuSign's login portal to steal credentials.
This is how cybercriminals are using SVG files to trick people into giving away their personal information. SVG files, commonly used for web graphics, have now become a tool for phishing scams, allowing hackers to bypass security filters and steal sensitive data.
Around three years ago, security researchers observed a campaign where
cybercriminals used SVG files to deliver QBot malware. The SVG contained embedded JavaScript that, upon opening, reconstructed a malicious ZIP archive on the victim's machine, leading to the installation of the malware.
In a research note, security services-provider Sophos X-Ops warned that cybercriminals are increasingly turning to SVG - a graphics file format that contains XML-like text instructions to draw an image—to bypass anti-phishing and anti-spam protections. Sophos X-Ops found that beginning at the end of last year, phishing gangs adopted the technique of sending weaponised SVG image files attached to emails.
The exploitation of SVG files in phishing attacks represents a significant evolution in cybercriminal tactics, leveraging the flexibility and capabilities of this file format to bypass traditional security measures.
According to Sophos X-Ops, cybercriminals send their targets an email with an SVG file attachment. The attachment, when clicked, by default, opens in the target's browser. The SVG file contains links or JavaScript that redirects the browser to a site hosting a phishing kit.
"Most targets are presented with a bogus screen that indicates they must click a button to open or read a document hosted on DocuSign, Dropbox, or SharePoint, or that they have received a voicemail message through Google Voice," it says.
Sophos X-Ops noted that nearly half of the SVG files evaluated in this research were sent only to one person, with the target's email address or name embedded in the SVG file. "This level of customisation indicates they are being used for targeted attacks against companies."
Let us understand what SVG files are and how cybercriminals are using it for phishing attacks.
SVG is an XML-based vector image format widely used for rendering two-dimensional graphics on the web. Unlike popular image formats such as joint photographic experts group (JPEG) or portable network graphic (PNG), which are composed of pixels, SVGs are defined by text-based instructions detailing shapes, lines, colours, and text. This text-based nature allows SVGs to be scalable without losing quality and enables the inclusion of interactive elements like hyperlinks and scripts.
According to Sophos X-Ops, attackers have identified that the textual composition of SVG files provides an opportunity to embed malicious content. "Because SVG images can load and render natively inside a browser, they can also contain anchor tags, scripting, and other kinds of active web content. In this way, threat actors have been abusing the file format. The SVG files used in the attacks include some instructions to draw very simple shapes, such as rectangles, but also contain an anchor tag that links to a web page hosted elsewhere,” it added.
When an SVG file is opened, typically in a web browser, it can execute embedded scripts or direct users to external websites.
Cybercriminals craft SVG files that contain minimal graphical content but include anchor tags linking to phishing sites. When a recipient opens such an SVG attachment, it displays a simple image or message. If the user interacts with this content, they are redirected to a fraudulent website designed to harvest credentials or distribute malware.
In more sophisticated attacks,
a report from BleepingComputer, says SVG files are used to perform hypertext markup language (HTML) smuggling. This involves embedding encoded JavaScript within the SVG that, when rendered, reconstructs and initiates the download of malicious payloads directly on the victim's system, effectively bypassing network security measures.
A recent tactic involves SVG files that appear blank but contain embedded scripts. When these SVGs are opened, the hidden scripts execute, often redirecting the user to phishing pages without any visible indication, thereby increasing the likelihood of successful exploitation, the report says.
The adoption of SVG files in phishing campaigns is particularly concerning due to their ability to circumvent traditional security defences, such as bypassing email filters, avoiding URL detection and evading sandboxing.
This brings us to the most crucial question of how a user can safeguard from SVG scams.
As these attacks become more sophisticated, it is imperative for individuals and organisations to stay vigilant, update their security protocols, and foster a culture of cybersecurity awareness to mitigate the risks associated with SVG-based phishing threats.
However, do remember there is no one-shot-fix-all solution for SVG scams. It means you need to adopt a multi-layered security approach that includes awareness, technological defences, and best practices.
Here are a few suggestions...
1. Be cautious with email attachments
Avoid opening unexpected or unfamiliar SVG attachments, especially from unknown senders.
Verify the sender's email address and check for small alterations (e.g., 'amaz0n.com' instead of 'amazon.com').
Hover over links before clicking to ensure they direct you to legitimate websites.
2. Disable script execution in browsers
Many browsers allow SVGs to execute scripts by default. Disable JavaScript for untrusted sites or use browser extensions that block automatic script execution.
Consider using security-focused browsers that restrict SVG-based exploits.
3. Enable advanced email filtering
Configure email security settings to block or flag emails with SVG attachments.
Use spam filters to detect phishing attempts and sandboxing to inspect suspicious files before opening them.
4. Keep software & security tools updated
Regularly update your browser, email client and operating system to patch vulnerabilities that attackers may exploit.
Use a reliable antivirus and endpoint detection system that scans email attachments before they execute.
5. Use multi-factor authentication (MFA)
Even if an attacker tricks you into entering login credentials via a phishing link, MFA can prevent unauthorised access to your accounts.
Use authentication apps (like Google Authenticator) instead of SMS-based MFA, which can be intercepted.
6. Monitor network & account activity
Regularly check account login history for suspicious activity.
Use a network security solution to detect abnormal traffic, especially if it connects to unknown domains.
7. Educate yourself & others
Phishing tactics evolve continuously. So, it is important to stay informed about the latest threats through cybersecurity blogs, official security advisories, and company training.
In addition, Sophos X-Ops says users can use a simple trick to handle SVG files. It involves downloading a real SVG file and then asking Windows to open this file in a program other than the browser. You can use Notepad to open the SVG file.
"To do this, you just download
a real SVG graphic, like this one to your desktop. Right-click the file, and choose 'Open with -> Choose another app' – pick something that is not a browser (like Notepad) and fill in the checkbox that reads 'Always use this app to open .svg files'. Even if you accidentally click a malicious SVG in the future, it will only open in Notepad, throwing another roadblock in front of (potentially) being phished. If, at some point, you need to work with real SVG files, follow the same steps again and choose the graphics application you plan to use (instead of Notepad)," Sophos says.
SVG phishing scams are becoming more common and they can be extremely convincing. However, by staying cautious, updating your security settings, and following best practices, you can significantly reduce your risk of falling victim to these scams.
Stay alert, stay informed, and most importantly—think twice before opening any unexpected email attachments!
