Scalable Vector Graphics files pose a novel phishing threat

Criminals who conduct phishing attacks over email have ramped up their abuse of a new threat vector designed to bypass existing anti-spam and anti-phishing protection: The use of a graphics file format called SVG.

The attacks, which begin with email messages that have .svg file attachments, started to spread late last year, and have ramped up significantly since mid-January.

The file format is designed as a method to draw resizable, vector-based images on a computer. By default, SVG files open in the default browser on Windows computers. But SVG files are not just composed of binary data, like the more familiar JPEG, PNG, or BMP file formats. SVG files contain text instructions in an XML format for drawing their pictures in a browser window.

But because SVG images can load and render natively inside a browser, they can also contain anchor tags, scripting, and other kinds of active web content. In this way, threat actors have been abusing the file format. The SVG files used in the attacks include some instructions to draw very simple shapes, such as rectangles, but also contain an anchor tag that links to a web page hosted elsewhere.

When a person unfamiliar with the format double-clicks the attachment in their email, their computer opens the SVG file in their browser. The browser renders both the vector graphics and the anchor tags in a new tab.

If the target clicks the link embedded in the SVG file, the browser will then open the link, which invariably leads to a social engineering trick designed to lure the target into a situation where they need to log in to an account.

Social engineering tricks used in SVG phishing attacks

The subject lines and messages we’ve seen use many tropes common to generic phishing attacks.

One of the patterns being used asserts that the attachment is a legal document that requires a signature. The message subject may use one of the following lines, or something similar:

• Completed: [random characters]_Contract_and_Agreement_[numbers] REF ID [numbers]
• Time to Sign: 2025 SuperAnnuation Enrollment Agreement (January 2025).
• New Voicemail [recipient’s email username]
• You have a new voicemail
• New Voicemail from [email username]
• New Vendor PO#[numbers] (Submission Ref: [random characters], Dated: [date]/Jan/2025)
• TT-[numbers] Approved
• XeroxVersaLink_[random characters]-2025-01-[date]_Contract_[random characters].pdf
• Health and Bonus Benefits Enrollment -Ref:-br#[numbers], Dated : [date]/Jan/2025
• Payment Advice – Ref: / RFQ Priority Payment / Customer Ref:
• KPI Review and Commission Release for [email username] (Ref: [numbers], Dated [day of week], [date]).
• Important: Save or print your finalized document Review Document completion—kindly confirm or ammend #BookingRef-[random characters]
• Payment Confirmation – SWIFT [random characters].pdf
• Your RemittanceReciept Fax-[date]/2025 [time] Contact – [email address]
• eSignature Required: Capital Funding Docs Via e-Docs Ref-[random characters]
• Action: Scan Data: Distribution Agreement for your review and signature. Message ID: #[random characters]
• Attn: Audio Recording REC#[numbers].wav Transcript [date] January 2025 $[random characters]

Many well-known brands and online services are being abused by these attacks, including:

• DocuSign
• Microsoft SharePoint
• Dropbox
• Google Voice
• RingCentral

The body content of these messages is similarly rudimentary, though it may contain the email username (the part of the address that appears before the @ sign) of the recipient/target in the body of the message.

How the attack works

When the target receives an email with an SVG attachment and opens it, unless they have another program they already use to work with SVG files, the file opens in the default browser.

The simplest of these malicious SVG files contain one or a few lines of hyperlinked text that prepend the email username to the phrase “Click To Open” or “Click the link below to listen to the voicemail.”

The link leads to a phishing page behind a CloudFlare captcha gate. Check the box to prove you’re a human, and you’re redirected to a page operated by the phishing gang that frames a real Office365 login dialog within itself, so it can validate the email and password at the same time as stealing it.

However, we’ve found more elaborately constructed files as well. One version embeds a link to a remote image inside of the “svg.” The images are hosted on a different, attacker-controlled domain.

There are multiple different versions of the embedded image that are designed to look like DocuSign or SharePoint pages. Clicking anywhere on the image loads the CAPTCHA-gated phishing page. Another version loads the image from a Google Doc.

The most convoluted of these malicious SVGs contained whole blocks of text that had been lifted, seemingly at random, from Wikipedia articles. The text was embedded in the source of the SVG but commented out, so it does not appear on screen.

Also present within another SVG was an elaborate JavaScript that automatically loads the phishing page after a short delay, even if the user doesn’t click any of the hotlinked content.

The phishing pages were all hosted on attacker-controlled domains. As previously mentioned, nearly all of them were gated with a CloudFlare CAPTCHA to prevent automated visits. The sites prefetch the content of the Office365 login dialog from login.live.com and present the target with all the expected animations familiar to an O365 user.

In some cases, the script pre-populated the login dialog with the target’s email address, which had been passed in the query string from the link embedded in the SVG file. An “EventListener” JavaScript in the iFrame captures all typed input as the user enters it into the form.

In tests we ran against live sites, most of the sites immediately captured the text input and exfiltrated it directly to the domain hosting the iFrame the login dialog appears in. In a few cases, we discovered that the credentials were transmitted to multiple sites simultaneously.

One session even passed the credentials to a Telegram bot using the messaging service’s API.

Over the course of a week, we were able to observe the phishing pages growing more sophisticated. Very sparsely designed pages began to get cleaner, such as this “voicemail” page.

We also saw brands like Google Voice carefully mimicked in some phishing pages.

We eventually found versions that targeted different languages, based on the top-level domain of the recipient. For example, both the email addressed to a target at a Japanese academic institution, and its embedded SVG, was crafted in Japanese. This led to a very realistic looking simulacrum of a Dropbox login screen, also localized to Japanese.

One of the SVG files appeared to try to leverage a networked drive on the target’s own network. It contained a Microsoft network path instead of a URL.

The “Shared File” link triggered a download of an HTML file, which when opened produced a page that looks like it has a blurred PDF document in the background.

But when tested, the browser threw an error message that indicated the site was trying to open a local network path in Windows Explorer.

The page source seems to want to open a network path under “trycloudflare.com” that passes an embedded, hardcoded username and password unsuccessfully.

Finally, another of the SVG files we discovered appeared to contain a large amount of data encoded as base64. When we decoded the data, we found that it was a Zip archive, containing two files.

Of the two files compressed into the Zip file, one was password-protected, the other was not. The password-protected file is a Windows malware executable. The unprotected file was a plaintext document that, oddly, contained the password for the other file in the archive.

It’s the first time I’d seen a password for a password-protected Zip embedded into the Zip itself. But it did, in fact, work.

The file, uncompressed, is a malware that we currently detect as Troj/AutoIt-DHB. It is an AutoIt script that sets up and installs a keystroke logger called Nymeria, all by the target double-clicking what is ostensibly an image file.

Serious victim grief

Malicious SVG files appear designed to evade detection by conventional endpoint or mail protection tools. However, work by analysts as a result of this research led to the development of a detection signature for the various kinds of weaponized files we’ve observed. That detection, Cxmail/EmSVG-C, is now live in Sophos Central Email.

For regular folks, there are a couple of things that can be done to inoculate your computer against this threat. First, you can find a real SVG graphic file, download it, and then instruct Windows to always open it in Notepad (or some other non-browser program) instead of the default browser.

To do this, you just download a real SVG graphic, like this one to your desktop. Right-click the file, and choose “Open with -> Choose another app” – pick something that isn’t a browser (like Notepad) and fill in the checkbox that reads “Always use this app to open .svg files.”

Even if you accidentally click a malicious SVG in the future, it’ll only open in Notepad, throwing another roadblock in front of (potentially) being phished. (If, at some point, you find you need to work with real SVG files, follow the same steps again, and choose the graphics application you plan to use.)

The phishing pages that loaded in this attack were also quite obviously not hosted on Microsoft’s normal websites. Simply looking at the URL in the browser address bar should be enough to reveal you’re not visiting SharePoint or DocuSign, when you’re loading a page with an .ru top-level domain.

There were other clues as well, such as the fact that the invoices or other messages appeared to come from email accounts that had never emailed the targets before, and were light on details like contact information (or even any message at all in the body, in some cases).

So keeping a sharp, critical eye on messages that seem fishy might be the best phishing prevention

Indicators of compromise

Indicators of compromise for this threat have been posted to our Github repository. Detections have been added for the spam attachment subtype (CXmail/EmSVG-C) in Central Email, SFOS, and some endpoint products, as well as signature-based detection for the malicious SVG attachments (Troj/XMLPh-A, Troj/XMLPh-E, Troj/XMLPh-F, Troj/XMLDrp-AJ, Troj/XML-AV, and Troj/XMLDl-K).

 Acknowledgments

Sophos X-Ops thanks Brett Cove and Fan Ho of the mail security team, and Krupa Gajjar, Rutvik Panchal, Khushi Punia, Gyan Ranjan, Purva Shah, Kafil Ahmed Shaikh, Devang Sharma, Simran Sharma, Aaditya Trivedi, and Amey Vijaywargiya of SophosLabs.