Cybercriminals have escalated their phishing tactics by leveraging Scalable Vector Graphics (SVG) files to bypass traditional anti-phishing and anti-spam defenses.
These attacks, which first became widespread late last year, have increased dramatically since January 2025, exploiting the unique properties of SVG files to deceive users and steal sensitive information.
SVG files are a vector-based graphics format designed to create resizable images using XML text instructions.
.png
)
Unlike traditional image formats such as JPEG or PNG, SVG files can embed active web content like anchor tags, JavaScript, and HTML. This versatility has made them an attractive tool for cybercriminals.
When a user opens a malicious SVG file—often attached to phishing emails the file launches in the default browser.
Embedded within the file are hyperlinks or scripts that redirect the user to phishing pages.
These pages mimic legitimate login portals for services such as Office365, Dropbox, or DocuSign. Once users input their credentials, the attackers capture them in real-time.
Social Engineering Tactics
Sophos Labs reports that phishing emails are crafted with subject lines designed to lure users into opening the attachments. Common examples include:
- “New Voicemail from [email username]”
- “Payment Confirmation – SWIFT [random characters].pdf”
- “eSignature Required: Capital Funding Docs Via e-Docs Ref-[random characters]”
The messages often impersonate well-known brands like Microsoft SharePoint, Google Drive, or DocuSign, adding credibility to the scam.
Many phishing pages are gated with CloudFlare CAPTCHA challenges to prevent automated security scans. Once bypassed, users are presented with realistic login forms that often pre-fill their email addresses.
Some SVG files include JavaScript that automatically redirects users to phishing pages without requiring them to click any links.
Advanced campaigns tailor phishing pages to match the language and region of the target based on their email domain.
In some cases, SVG files contain embedded Base64-encoded data that unpacks into zip archives containing malware like AutoIt-based keystroke loggers (e.g., Nymeria).
Victims of these attacks face severe consequences, ranging from stolen credentials to malware infections.
For example: One campaign used SVG files to deliver a password-protected zip archive containing a Trojan (Troj/AutoIt-DHB) that installed a keylogger.
Another campaign exploited SVG files to mimic DocuSign portals, tricking users into downloading malicious HTML files.
Mitigation Strategies
To counter these threats:
- Configure Windows to open SVG files in text editors like Notepad instead of browsers.
- Avoid opening attachments from unknown senders or emails with unusual subject lines.
- Verify URLs in the browser’s address bar; phishing sites often use suspicious domains like “.ru” instead of legitimate ones.
- Regularly update antivirus software and operating systems to detect emerging threats like Cxmail/EmSVG-C.
The abuse of SVG files in phishing campaigns highlights the evolving tactics of cybercriminals aiming to bypass conventional defenses. Organizations and individuals must remain vigilant and adopt proactive measures to mitigate these sophisticated attacks.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
