Extensible Vector Graphics files present a fresh phishing danger
Miscreants who engage in phishing activities via email have intensified their exploitation of a new deceptive method aimed at sidestepping existing anti-spam and anti-phishing safeguards: The utilization of a visual file format known as SVG.
The incursions, initiated by email messages with .svg file attachments, commenced spreading in the latter part of the previous year, and have notably escalated since around mid-January.
This file format is crafted as a means to sketch scalable, vector-based images on a computer. By default, SVG files launch in the default browser on Windows machines. Nonetheless, SVG files are not just constructed of binary data, as seen in the more usual JPEG, PNG, or BMP file formats. SVG files incorporate textual directives in an XML structure for illustrating their visual content in a browser viewport.
However, due to the fact that SVG images can be loaded and rendered directly within a browser, they are also capable of embedding anchor tags, scripts, and various forms of dynamic web content. Consequently, threat actors have been exploiting this file format. The SVG files utilized in these incursions comprise instructions for drawing basic shapes like rectangles, alongside an anchor tag connecting to an external web page.
Upon opening the attachment in their email, individuals who are not familiar with the format trigger the SVG file to open in their browser. The browser then renders both the vector graphics and anchor tags in a new tab.
If the recipient clicks the embedded link within the SVG file, the browser will then proceed to open the link, leading to a ruse engineered to entice the target into a scenario where they are prompted to sign in to an account.
Strategies of social engineering employed in SVG phishing ploys
The message subjects and contents observed so far incorporate numerous motifs typical of generic phishing schemes.
One of the tactics in use claims that the attachment is a legal document necessitating a signature. The email subject might include one of the ensuing lines, or something analogous:
- Processed: [random characters]_Agreement_and_Contract_[numbers] REF ID [numbers]
- Time for Validation: 2025 Retirement Scheme Agreement (January 2025).
- New Voicemail [recipient’s email username]
- You’ve received a fresh voicemail
- Latest Voicemail from [email username]
- New Supplier Invoice#[numbers] (Doc Ref: [random characters], Stamped: [date]/Jan/2025)
- TT-[numbers] Approved
- XeroxVersaLink_[random characters]-2025-01-[date]_Agreement_[random characters].pdf
- Health and Benefits Registration -Reference:-br#[numbers], Dated : [date]/Jan/2025
- Payment Advice – Ref: / RFQ Urgent Payment / Client Ref:
- KPI Assessment and Payment Release for [email username] (Ref: [numbers], on [day of week], [date]).
- Significant: Preserve or print your finalized document Review Document completion—kindly confirm or rectify #BookingRef-[random characters]
- Payment Verification – SWIFT [random characters].pdf
- Your Payment Receipt Fax-[date]/2025 [time] Contact – [email address]
- eSignature Necessary: Finance Papers Through e-Docs Ref-[random characters]
- Action: Scan Data: Distribution Contract for your review and signature. Message ID: #[random characters]
- Att: Audio Recording REC#[numbers].wav Transcript [date] January 2025 $[random characters]
Several distinguished brands and online platforms are being exploited in these operations, including:
- DocuSign
- Microsoft SharePoint
- Dropbox
- Google Voice
- RingCentral
The body of these messages is equally basic, but it could feature the email username (the part of the address before the @ symbol) of the recipient/target.
Mechanism of the attack
Upon receiving an email with an SVG attachment and opening it, unless they have anothersystem they currently employ for handling SVG files, the document launches in the default web browser.
Among these deceitful SVG files, the most basic ones consist of just a line or two of linked text that prefixes the email username with phrases like “Click To Open” or “Press the link below to hear the voicemail.”
This link directs to a phishing site hidden beyond a CloudFlare CAPTCHA barrier. Validate your humanity by ticking the box, and you’ll be redirected to a page operated by the phishing syndicate that embeds a genuine Office365 login dialog within itself to verify and pilfer the email and password simultaneously.
Nevertheless, more intricately structured files have been discovered as well. In one variation, a remote image link is embedded within the “svg.” These images are hosted on a separate domain controlled by the attacker.
Several different versions of the embedded image mimic DocuSign or SharePoint pages. Clicking anywhere on the image triggers the CAPTCHA-protected phishing page. Another variant loads the image from a Google Doc.
The most complex of these malevolent SVGs consisted of substantial blocks of text seemingly excerpted at random from Wikipedia articles. This text was integrated into the SVG source but was commented out, making it invisible on the screen.
Additionally, found within a different SVG was an intricate JavaScript script that automatically directs to the phishing page after a brief delay, even without interacting with any of the linked content.
The deceptive pages were hosted on domains controlled by the attacker. As mentioned earlier, almost all of them were protected by a CloudFlare CAPTCHA to block automated visits. These sites pre-fetch the content of the Office365 login window from login.live.com and show the user all the anticipated animations typically associated with an O365 user interface.
In certain instances, the script automatically filled in the login dialog with the target’s email address, received from the link within the SVG file’s query string. A JavaScript “EventListener” in the iFrame captures all keyboard input as the user inputs it into the form.
During tests conducted on live sites, most of the sites immediately intercepted the text input and sent it out to the domain hosting the iFrame where the login dialog was displayed. In a few instances, we found that the credentials were sent to multiple sites simultaneously.
During one session, the credentials were even sent to a Telegram bot using the messaging platform’s API.
Throughout the span of a week, we noticed the phishing pages becoming more advanced. Pages that were initially very basic in design started to look more polished, like this “voicemail” page.
We also observed instances where brands like Google Voice were meticulously replicated in some phishing attempts.
We eventually came across variations that targeted different languages based on the top-level domain of the recipient. For instance, an email sent to a recipient at a Japanese educational institution and the accompanying embedded SVG were both in Japanese. This resulted in a very authentic-looking simulation of a Dropbox login screen, also in Japanese.
One of the SVG files seemed to attempt to utilize a networked drive on the intended recipient’s own network. It included a Microsoft network path instead of a URL.
The link labeled “Shared File” initiated a download of an HTML file, which when opened displayed a page that gives the impression of having a blurred PDF document in the background.
Upon testing, however, the browser indicated an error message signifying that the site was attempting to open a local network path in Windows Explorer.
The page source seems to aim to access a network path under “trycloudflare.com” that transmits an embedded, hardcoded username and password without success.
Lastly, another of the SVG files we unearthed appeared to hold a substantial amount of data encoded as base64. Upon decoding the data, it turned out to be a Zip archive, housing two files.
Within the Zip file, one of the files was encrypted with a password, while the other was not. The encrypted file turned out to be a Windows malware executable. Curiously, the unencrypted file was a plain text document that included the password for the encrypted file within the archive.
It was the first instance I had encountered where a password for a password-protected Zip was embedded within the Zip itself. Surprisingly, it worked perfectly.
The uncompressed document is identified as a type of malware currently identified as Troj/AutoIt-DHB. This is an AutoIt script that configures and deploys a keylogging software named Nymeria, activated by the user double-clicking on what appears to be a simple image file.
Significant sorrow for afflicted parties
These malicious SVG files seem to be intentionally crafted to avoid detection by standard endpoint and email security tools. Through the efforts of analysts post this study, a detection signature named Cxmail/EmSVG-C has been created to detect various forms of weaponized files. This detection signature is now operational in Sophos Central Email.
For individuals without technical expertise, there are a couple of steps that can be taken to protect your system from this threat. Initially, you can locate a genuine SVG image file, download it, and then set Windows to open such files in Notepad (or any other non-browser application) by default.
To perform this, simply download an authentic SVG image, such as the one provided here, to your desktop. Right-click on the file, then select “Open with -> Choose another app” – opt for a non-browser app (like Notepad) and mark the checkbox that says “Always use this application to open .svg files.”
If, in the future, you inadvertently click on a potentially malicious SVG, it will only open in Notepad, adding an additional obstacle in front of potential phishing attempts. If, later on, you need to work with genuine SVG files, repeat the same steps and select the graphic application you intend to use.
In this attack, the phishing pages that loaded did not originate from Microsoft’s standard websites. By merely inspecting the URL in the browser’s address bar, it should become apparent that the page you are viewing does not belong to SharePoint or DocuSign, especially when the top-level domain is .ru.
Additional clues included the suspicious nature of the emails, as they were sent from accounts that had no prior contact with the recipients and lacked essential details like contact information or any message content at all.
Therefore, maintaining vigilance and scrutinizing suspicious messages is crucial for effective phishing prevention
Signs of a compromised system
Markers of compromise related to this threat have been shared on our GitHub repository. Detection mechanisms have been enhanced to identify the spam attachment subtype (CXmail/EmSVG-C) in Central Email, SFOS, and certain endpoint products, alongside signature-based detection for malicious SVG attachments (Troj/XMLPh-A, Troj/XMLPh-E, Troj/XMLPh-F, Troj/XMLDrp-AJ, Troj/XML-AV, and Troj/XMLDl-K).
Appreciation
Sophos X-Ops expresses gratitude to Brett Cove and Fan Ho of the mail security team, as well as Krupa Gajjar, Rutvik Panchal, Khushi Punia, Gyan Ranjan, Purva Shah, Kafil Ahmed Shaikh, Devang Sharma, Simran Sharma, Aaditya Trivedi, and Amey Vijaywargiya of SophosLabs.
About Author
