Scalable Vector Graphics files pose a novel phishing threat

Credit to Author: Andrew Brandt| Date: Wed, 05 Feb 2025 17:01:03 +0000

Criminals who conduct phishing attacks over email have ramped up their abuse of a new threat vector designed to bypass existing anti-spam and anti-phishing protection: The use of a graphics file format called SVG.

The attacks, which begin with email messages that have .svg file attachments, started to spread late last year, and have ramped up significantly since mid-January.

The file format is designed as a method to draw resizable, vector-based images on a computer. By default, SVG files open in the default browser on Windows computers. But SVG files are not just composed of binary data, like the more familiar JPEG, PNG, or BMP file formats. SVG files contain text instructions in an XML format for drawing their pictures in a browser window.

The content of a legitimate SVG file source alongside a thumbnail
The content of a legitimate SVG file source alongside a thumbnail

But because SVG images can load and render natively inside a browser, they can also contain anchor tags, scripting, and other kinds of active web content. In this way, threat actors have been abusing the file format. The SVG files used in the attacks include some instructions to draw very simple shapes, such as rectangles, but also contain an anchor tag that links to a web page hosted elsewhere.

A malicious SVG links to a Google Doc file
A malicious SVG links to a Google Docs file

When a person unfamiliar with the format double-clicks the attachment in their email, their computer opens the SVG file in their browser. The browser renders both the vector graphics and the anchor tags in a new tab.

A simplistic malicious SVG hotlinks the recipient's email and some text to a phishing page
A simplistic malicious SVG hotlinks the recipient’s email and some text to a phishing page

If the target clicks the link embedded in the SVG file, the browser will then open the link, which invariably leads to a social engineering trick designed to lure the target into a situation where they need to log in to an account.

Social engineering tricks used in SVG phishing attacks

The subject lines and messages we’ve seen use many tropes common to generic phishing attacks.

One of the patterns being used asserts that the attachment is a legal document that requires a signature. The message subject may use one of the following lines, or something similar:

  • Completed: [random characters]_Contract_and_Agreement_[numbers] REF ID [numbers]
  • Time to Sign: 2025 SuperAnnuation Enrollment Agreement (January 2025).
  • New Voicemail [recipient’s email username]
  • You have a new voicemail
  • New Voicemail from [email username]
  • New Vendor PO#[numbers] (Submission Ref: [random characters], Dated: [date]/Jan/2025)
  • TT-[numbers] Approved
  • XeroxVersaLink_[random characters]-2025-01-[date]_Contract_[random characters].pdf
  • Health and Bonus Benefits Enrollment -Ref:-br#[numbers], Dated : [date]/Jan/2025
  • Payment Advice – Ref: / RFQ Priority Payment / Customer Ref:
  • KPI Review and Commission Release for [email username] (Ref: [numbers], Dated [day of week], [date]).
  • Important: Save or print your finalized document Review Document completion—kindly confirm or ammend #BookingRef-[random characters]
  • Payment Confirmation – SWIFT [random characters].pdf
  • Your RemittanceReciept Fax-[date]/2025 [time] Contact – [email address]
  • eSignature Required: Capital Funding Docs Via e-Docs Ref-[random characters]
  • Action: Scan Data: Distribution Agreement for your review and signature. Message ID: #[random characters]
  • Attn: Audio Recording REC#[numbers].wav Transcript [date] January 2025 $[random characters]

Many well-known brands and online services are being abused by these attacks, including:

  • DocuSign
  • Microsoft SharePoint
  • Dropbox
  • Google Voice
  • RingCentral

The body content of these messages is similarly rudimentary, though it may contain the email username (the part of the address that appears before the @ sign) of the recipient/target in the body of the message.

A malicious SVG attached to a fake "fax notification" email
A malicious SVG attached to a fake “fax notification” email

How the attack works

When the target receives an email with an SVG attachment and opens it, unless they have another program they already use to work with SVG files, the file opens in the default browser.

The simplest of these malicious SVG files contain one or a few lines of hyperlinked text that prepend the email username to the phrase “Click To Open” or “Click the link below to listen to the voicemail.”

A simplistic SVG that purports to be a voicemail notification
A simplistic SVG that purports to be a voicemail notification

The link leads to a phishing page behind a CloudFlare captcha gate. Check the box to prove you’re a human, and you’re redirected to a page operated by the phishing gang that frames a real Office365 login dialog within itself, so it can validate the email and password at the same time as stealing it.

A CAPTCHA protects a phishing site
A CAPTCHA protects a phishing site
An alternative CAPTCHA page gating a phishing site
An alternative CAPTCHA page gating a phishing site

However, we’ve found more elaborately constructed files as well. One version embeds a link to a remote image inside of the “svg.” The images are hosted on a different, attacker-controlled domain.

The SVG contains a live link that points to a raster image resembling a SharePoint notification hosted elsewhere
The SVG contains a live link that points to a raster image resembling a SharePoint notification hosted elsewhere

There are multiple different versions of the embedded image that are designed to look like DocuSign or SharePoint pages. Clicking anywhere on the image loads the CAPTCHA-gated phishing page. Another version loads the image from a Google Doc.

The "LegalSkillsTraining" website hosts nothing but images leveraged in SVG phishing campaigns
The “LegalSkillsTraining” website hosts nothing but images leveraged in SVG phishing campaigns

The most convoluted of these malicious SVGs contained whole blocks of text that had been lifted, seemingly at random, from Wikipedia articles. The text was embedded in the source of the SVG but commented out, so it does not appear on screen.

A Wikipedia entry fills space in this malicious SVG that also includes Javascript
A Wikipedia entry fills space in this malicious SVG that also includes JavaScript

Also present within another SVG was an elaborate JavaScript that automatically loads the phishing page after a short delay, even if the user doesn’t click any of the hotlinked content.

The "RaccoonClient" version of the SVG automatically loads the phishing page after a delay
The “RaccoonClient” version of the SVG automatically loads the phishing page after a delay

The phishing pages were all hosted on attacker-controlled domains. As previously mentioned, nearly all of them were gated with a CloudFlare CAPTCHA to prevent automated visits. The sites prefetch the content of the Office365 login dialog from login.live.com and present the target with all the expected animations familiar to an O365 user.

The source of the phishing page shows it loading the Microsoft login content inside a frame within the page
The source of the phishing page shows it loading the Microsoft login content inside a frame within the page that captures keystrokes

In some cases, the script pre-populated the login dialog with the target’s email address, which had been passed in the query string from the link embedded in the SVG file. An “EventListener” JavaScript in the iFrame captures all typed input as the user enters it into the form.

In tests we ran against live sites, most of the sites immediately captured the text input and exfiltrated it directly to the domain hosting the iFrame the login dialog appears in. In a few cases, we discovered that the credentials were transmitted to multiple sites simultaneously.

One of the external sites that received exfiltrated data, "VirtualPorno," which had nothing of the sort but did have open directories
One of the external sites that received exfiltrated data, “VirtualPorno,” which had nothing of the sort, but did have open directories that contained the phishing scripts

One session even passed the credentials to a Telegram bot using the messaging service’s API.

An SVG phishing page exfiltrates data to a Telegram bot
An SVG phishing page exfiltrates data to a Telegram bot

Over the course of a week, we were able to observe the phishing pages growing more sophisticated. Very sparsely designed pages began to get cleaner, such as this “voicemail” page.

A "voicemail" download link prompts for a password. The target's email address was prefilled.
A “voicemail” download link prompts for a password. The target’s email address was prefilled.

We also saw brands like Google Voice carefully mimicked in some phishing pages.

A fake Google Voice login also had the target's email address as well as the name of their employer's organization embedded in the page.
A fake Google Voice login also had the target’s email address as well as the name of their employer’s organization embedded in the page.

We eventually found versions that targeted different languages, based on the top-level domain of the recipient. For example, both the email addressed to a target at a Japanese academic institution, and its embedded SVG, was crafted in Japanese. This led to a very realistic looking simulacrum of a Dropbox login screen, also localized to Japanese.

A fake Dropbox login in Japanese prompts the target to download a voicemail message
A fake Dropbox login in Japanese prompts the target to download a voicemail message

One of the SVG files appeared to try to leverage a networked drive on the target’s own network. It contained a Microsoft network path instead of a URL.

 The "shared file" spam contains an SVG that uses a network path, presumably accessible to the target's network
The “shared file” spam contains an SVG that uses a network path, presumably accessible to the target’s network

The “Shared File” link triggered a download of an HTML file, which when opened produced a page that looks like it has a blurred PDF document in the background.

The local HTML file prompts the user to click the Open button
The local HTML file prompts the user to click the Open button

But when tested, the browser threw an error message that indicated the site was trying to open a local network path in Windows Explorer.

The error message indicates that instead of a webpage it was trying to open a local network path
The error message indicates that instead of a webpage it was trying to open a local network path

The page source seems to want to open a network path under “trycloudflare.com” that passes an embedded, hardcoded username and password unsuccessfully.

A network path that contained a hardcoded username and password
A network path that contained a hardcoded username and password

Finally, another of the SVG files we discovered appeared to contain a large amount of data encoded as base64. When we decoded the data, we found that it was a Zip archive, containing two files.

The SVG with a base64 data blob inside
The SVG with a base64 data blob inside

Of the two files compressed into the Zip file, one was password-protected, the other was not. The password-protected file is a Windows malware executable. The unprotected file was a plaintext document that, oddly, contained the password for the other file in the archive.

The zip file contained a password-protected executable and an unprotected text file that contained the password for the other file
The zip file contained a password-protected executable and an unprotected text file that contained the password for the other file

It’s the first time I’d seen a password for a password-protected Zip embedded into the Zip itself. But it did, in fact, work.

The password in the text file compressed with the malware
The password in the text file compressed with the malware executable

The file, uncompressed, is a malware that we currently detect as Troj/AutoIt-DHB. It is an AutoIt script that sets up and installs a keystroke logger called Nymeria, all by the target double-clicking what is ostensibly an image file.

Serious victim grief

Malicious SVG files appear designed to evade detection by conventional endpoint or mail protection tools. However, work by analysts as a result of this research led to the development of a detection signature for the various kinds of weaponized files we’ve observed. That detection, Cxmail/EmSVG-C, is now live in Sophos Central Email.

For regular folks, there are a couple of things that can be done to inoculate your computer against this threat. First, you can find a real SVG graphic file, download it, and then instruct Windows to always open it in Notepad (or some other non-browser program) instead of the default browser.

To do this, you just download a real SVG graphic, like this one to your desktop. Right-click the file, and choose “Open with -> Choose another app” – pick something that isn’t a browser (like Notepad) and fill in the checkbox that reads “Always use this app to open .svg files.”

First choose another app...
First choose another app…
...then pick something benign that should open it instead of the browser
…then pick something benign that should open it instead of the browser, and check “Always use this app”

Even if you accidentally click a malicious SVG in the future, it’ll only open in Notepad, throwing another roadblock in front of (potentially) being phished. (If, at some point, you find you need to work with real SVG files, follow the same steps again, and choose the graphics application you plan to use.)

The phishing pages that loaded in this attack were also quite obviously not hosted on Microsoft’s normal websites. Simply looking at the URL in the browser address bar should be enough to reveal you’re not visiting SharePoint or DocuSign, when you’re loading a page with an .ru top-level domain.

Your first clue is the .ru
Your first clue is the .ru

There were other clues as well, such as the fact that the invoices or other messages appeared to come from email accounts that had never emailed the targets before, and were light on details like contact information (or even any message at all in the body, in some cases).

 I hope your lawyer writes more than absolutely nothing when they send you a contract to sign
I hope your lawyer writes more than absolutely nothing when they send you a contract to sign

So keeping a sharp, critical eye on messages that seem fishy might be the best phishing prevention

Indicators of compromise

Indicators of compromise for this threat have been posted to our Github repository. Detections have been added for the spam attachment subtype (CXmail/EmSVG-C) in Central Email, SFOS, and some endpoint products, as well as signature-based detection for the malicious SVG attachments (Troj/XMLPh-A, Troj/XMLPh-E, Troj/XMLPh-F, Troj/XMLDrp-AJ, Troj/XML-AV, and Troj/XMLDl-K).

 Acknowledgments

Sophos X-Ops thanks Brett Cove and Fan Ho of the mail security team, and Krupa Gajjar, Rutvik Panchal, Khushi Punia, Gyan Ranjan, Purva Shah, Kafil Ahmed Shaikh, Devang Sharma, Simran Sharma, Aaditya Trivedi, and Amey Vijaywargiya of SophosLabs.

http://feeds.feedburner.com/sophos/dgdY

Leave a Reply