Security researchers at Ontinue have uncovered a sophisticated phishing campaign that leverages Scalable Vector Graphics (SVG) files to bypass conventional email security mechanisms. This emerging technique embeds obfuscated JavaScript code within SVG files to initiate malicious redirects—without requiring attachments, downloads, or user interaction beyond previewing the file.
The campaign specifically targets business-to-business (B2B) sectors, including software-as-a-service (SaaS) providers, utilities, and financial services firms. Analysts warn that the attack’s complexity—and its ability to evade detection—marks a significant evolution in phishing tactics.
How the Attack Works
The attack begins with emails masquerading as business-related notifications, such as missed calls, payment requests, or task reminders. These messages often impersonate legitimate services and are sent from domains lacking proper email authentication protocols, such as SPF, DKIM, or DMARC.
Embedded within these emails is a seemingly harmless SVG file, which when opened in a browser, executes obfuscated JavaScript via script tags embedded within the image. This encrypted code—often obfuscated using Base64 encoding or XOR ciphering—immediately redirects the user to a malicious website using browser-native methods like window.location.href.
Each redirect URL is uniquely crafted and may carry victim-specific tracking information, such as a Base64-encoded representation of the recipient’s email address. Notably, these redirects occur without downloading any executable files, which helps the attack evade traditional antivirus and endpoint detection tools.
Technical Insight and Evasion Tactics
| Vector | Details |
|---|---|
| File Type | SVG with embedded, obfuscated JavaScript |
| Execution Trigger | Browser-based rendering of the SVG image |
| Payload Behavior | Auto-redirects user to attacker-hosted phishing or credential-harvest sites |
| Obfuscation Methods | Base64 encoding, XOR-based scripting, character junk insertion |
| Detection Evasion | No macros, no file downloads, minimal email content, domain rotation |
The use of scalable vector images as a delivery mechanism is particularly insidious. While SVGs are widely used for their image scalability and web compatibility, few organizations treat them as potential threat vectors. In most security workflows, SVG files are passed through email gateways and document filters with minimal inspection.
Moreover, attackers take additional steps to avoid blacklisting and forensic tracking. Redirect domains rotate frequently, and geo-fencing policies narrow the attack surface to specific regions to avoid raising global alarms.
A Difficult Threat to Detect
The combination of minimalistic emails, uncommon file abuse, and browser-level execution makes this phishing technique highly effective. Traditional email and endpoint security systems often fail to scrutinize SVGs, treating them as benign content. Static signature- or behavior-based malware engines are rarely equipped to parse embedded scripts within XML-based image formats.
“This method represents a stealthy pivot in phishing tactics,” warns Jason Soroko, Senior Fellow at Sectigo. “Treat every inbound SVG as a potential executable. Organizations must inspect, sanitize, or outright block script-enabled image files to protect end users.”
Suggested Mitigation Strategies
To protect users and network environments against this emerging SVG-borne phishing technique, Ontinue recommends the following security measures:
- Enhance Email Gateway Policies
- Flag or quarantine SVG attachments by default.
- Apply deep inspection for embedded script tags within image files.
- Filter emails by checking for absent or misconfigured SPF, DKIM, and DMARC records.
- Harden Endpoint Detection Tools
- Incorporate browser telemetry to identify unusual redirects originating from file previews.
- Monitor for scripts making
window.location.hrefcalls that originate from local SVG files.
- Strengthen User Awareness
- Train users to avoid previewing attachments from unsolicited emails.
- Raise awareness about the risks associated with lesser-known file formats, including SVG, HTA, and VBE.
- Implement URL Threat Intelligence
- Block access to newly registered or dynamically generated domains.
- Use reputation-based domain analysis to flag and investigate redirect targets.
