A KnowBe4 Menace Labs Publication Authors: James Dyer and Cameron Sweeney
The KnowBe4 Menace Analysis group has noticed a sustained improve in the usage of Scalable Vector Graphics (SVG) information to obfuscate malicious payloads.
SVGs are vector based mostly, slightly than pixel-based like PNGs and JPGs. This implies the graphic components might be scaled up with out lack of high quality – making them good for sharing graphics, equivalent to logos and icons, by way of e mail.
In a now well-established sample (suppose QR codes and quishing assaults), cybercriminals try to reap the benefits of the rising use of this file sort, hoping familiarity will result in complacency within the targets of their phishing assaults.Ā
As weāll additionally focus on later, SVG information supply technical benefits to cybercriminals trying to evade conventional e mail safety filters.
Our Menace Analysis group analyzed phishing emails despatched between January 1st and March fifth, 2025, discovering that SVG information accounted for six.6% of malicious attachments in phishing emails detected by KnowBe4 Defend. This can be a 245% improve when in comparison with assaults despatched between October 1st and December thirty first, 2024, throughout which period SVGs made up just one.9%. The most important spike to this point occurred on March 4th, with SVGs accounting for 29.5% of all malicious attachments.Ā
When analyzing these assaults, our group found that two main phishing campaigns contributed to this improve.Ā
Evaluation of Two SVG Phishing Campaigns All assaults on this weblog have been recognized and neutralized by KnowBe4 Defend and analyzed by our Menace Analysis group.Ā
Vector and sort: E-mail phishing Main methods: Malicious attachments obfuscated utilizing SVG information Targets: World Platform: Microsoft 365 Bypassed native and SEG detection: Sure
Marketing campaign 1: SVGs utilized in polymorphic assaults This marketing campaign includes phishing emails utilizing SVG attachments with polymorphic file names.
The topic line is designed to look like a routine system automated e mail (āe_Portal_Server_Notice ā within the assault proven under), whereas the assaults are literally despatched from a compromised account with a excessive area age. Using the compromised account helps the emails cross authentication checks (together with DMARC, SPF and DKIM within the assaults we analyzed) and even evade detection by Microsoftās native spam confidence filter.Ā
When opened, the SVG attachment is loaded within the recipientās internet browser and incorporates a clickable clear rectangle. For many individuals, an automated response when offered with a clean webpage is to click on on it – a pure impulse that, on this case, strikes the assault ahead. If the person clicks on the rectangle, they’re redirected to a credential harvesting phishing web site that makes use of Microsoft branding.Ā
The phishing emails use a mix of superior obfuscation methods to assist them bypass the signature-based detection current in conventional e mail safety products, equivalent to safe e mail gateways (SEGs).Ā
Each the topic and attachment names are polymorphic, altering with every phishing e mail to keep away from hash-based detection (the lookup for recognized unhealthy signatures utilized by SEGs). The topic line additionally incorporates the identical textual content because the title of the attachment in an try to enhance the e-mailās look of legitimacy. Moreover, the malicious hyperlink throughout the SVG is encoded with the phishing area and the recipientās e mail, which suggests the JavaScript malware throughout the SVG may also be classed as polymorphic.
The e-mail physique within the assault proven under incorporates restricted textual content, however is stuffed with quite a few line breaks and a benign e mail footer on the backside. This system goals to make the assault seem much less suspicious to some filtering know-how that makes use of the character rely to find out whether or not an e mail message is suspicious, in addition to doubtlessly neutralize some pure language processing (NLP) detection. Right here, our researchers consider the cybercriminal makes use of the benign footer to govern e mail safety detection software program, whereas the road breaks doubtlessly conceal it from the recipientās view, relying on the e-mail preview accessible.Ā
Phishing assault detected by KnowBe4 Defend with malicious SVG file attachment that includes polymorphic file title.
Marketing campaign 2: Missed messages hiding malicious JavaScript The second marketing campaign contains a āmissed messageā phishing e mail, the place the goal is prompted to open an attachment to hearken to a voice message following a missed name. The SVG attachment incorporates JavaScript that, as soon as clicked, robotically hundreds a phishing web site on the goalās machine.Ā
This marketing campaign contains a excessive degree of personalization, designed to lure the sufferer right into a false sense of safety. The recipientās e mail deal with is repeated within the file title and the physique of the e-mail. Moreover, the JavaScript within the payload dynamically appends the recipientās e mail deal with as a question parameter to a credential harvesting web site (consequently tagging the harvested password to a selected person) and prefills the shape with the goalās e mail deal with. This will increase the probability theyāll be deceived by the assault, because the goal has much less time to consider what theyāre doing earlier than they enter their Microsoft password.Ā
Just like the earlier assault, the phishing e mail proven under was additionally despatched from a compromised account that allowed it to look professional to authentication protocols and cross DMARC checks. The e-mail additionally options model impersonation for RingCentral – a trusted communication software program that’s utilized by the goalās group – which additional enhances its look of credibility.Ā
Lastly, the cybercriminal manipulates the structure of the e-mail, forcing Microsoftās exterior e mail banner to maneuver from the highest of the e-mail to the underside. That is achieved by modifying the HTML with extra clean areas and customized styling to regulate the margins and padding to maneuver the
part of the code that incorporates the warning banner to the underside of the e-mail. Inline CSS can be used to forestall the banner from transferring again to the unique place.Ā
That is carried out to divert the recipientās consideration away from the message that prompts them to look at the e-mail extra carefully and to not open unknown attachments. KnowBe4 Defendās banners make the most of anti-manipulation methods and weren’t affected by this.Ā
Phishing assault detected by KnowBe4 Defend with malicious SVG file attachment, that includes the goalās e mail within the attachment title and physique copy.
Credential harvesting web site designed to steal Microsoft logins, with goalās e mail deal with prefilled.
The Rising Menace of SVGs SVG information are inherently visible and are sometimes trusted in the identical method as easy pictures. Nevertheless, in contrast to conventional picture information, the XML construction of SVGs signifies that they can be utilized by cybercriminals to include scripts that stay invisible to customers and a few virus scanners. This dynamic habits mixed with the pure enchantment of high-quality visuals makes SVGs a potent phishing menace.Ā
Whereas HTML smuggling is a well-known approach that embeds dangerous code in HTML information to bypass safety filters, SVG phishing is arguably much more harmful. SVGs use the identical idea of smuggling code, however their integration into a well-known picture format makes them much less conspicuous and, consequently, much less ceaselessly scrutinized by conventional defenses. This superior technique is much less well known, that means that many organizations and safety merchandise won’t be adequately ready to detect or mitigate the menace.
Evading Detection by Safe E-mail Gateways (SEGs) Many e mail safety filters, like SEGs, and endpoint safety programs primarily scrutinize file sorts usually related to executable code like EXE or HTML, in addition to extra conventional file codecs, equivalent to ZIPs, PDFs, DOCs, JPGs and PNGs. Since SVGs are generally assumed to be āprotectedā file sorts, they could bypass these checks to permit malicious information to be delivered.Ā
SVGs are additionally essentially totally different to those different file sorts, enabling them to evade conventional detection mechanisms in different methods:
Textual content-based format: SVGs are XML-based and seem primarily as textual content. Many SEGs deal with them as benign picture information slightly than executable content material
Embedded code and obfuscation: Attackers can embed JavaScript and different energetic components inside an SVG, which isnāt attainable with different picture file sorts. By utilizing methods like Base64 encoding and dynamic string meeting, the malicious code is hidden from static scanners that arenāt designed to parse embedded scripts
Payload revealed on execution: Most SEGs have restricted parsing capabilities and don’t totally execute or examine the embedded scripts inside SVG information. The malicious payload solely reveals itself when the file is rendered in a browser, bypassing the SEGās detection mechanisms
Look of legitimacy: Provided that SVGs are extensively utilized in internet and graphic design, these information are sometimes handed off as professional pictures, lowering the probability that theyāll be flagged as suspicious by automated filters
Offering a number of avenues for assault SVGs additionally allow attackers to make the most of a number of totally different methods inside their assaults. This versatility is driving the elevated use of this attachment sort.Ā
Injecting Dangerous Code An attacker can embed malicious JavaScript inside an SVG file (as seen within the second instance analyzed on this publish). When opened in a browser, this code can robotically redirect the person to a fraudulent web site. Alternatively, the script may redirect to a website that prompts for different delicate data or initiates a malware obtain.
Knowledge ExfiltrationĀ Embedded scripts can be utilized to silently accumulate and ship delicate data, equivalent to login credentials or private information, to an exterior server. For instance, a malicious SVG may embrace code that displays person inputs, equivalent to keystrokes entered right into a login type, after which sends this information by way of an HTTP request to an attacker-controlled server. This might consequence within the unauthorized assortment of credentials, private particulars, or different confidential data.
Undetected Actions SVG information despatched as attachments are usually thought to be innocent, static pictures. This benign look signifies that executed payloads can go unnoticed. As a result of each customers and plenty of e mail safety filters assume that picture attachments are non-executable, the embedded malicious code can function covertly with out triggering customary safety alerts.
That is an instance of a hidden code snippet from a malicious SVG despatched to a KnowBe4 Defend buyer (which we detected).
JavaScript payload that was hidden inside an SVG attachment to a phishing e mail detected by KnowBe4 Defend.Ā
The code incorporates three key options:
Learn how to Detect Phishing Assaults with SVG Attachments As weāve seen, one of many points of interest for utilizing SVG information in phishing assaults is their capability to get via conventional e mail safety defenses, significantly SEGs. In consequence, organizations want to make sure they’ve technical measures in place that may catch missed threats, using:
Contextual evaluation to detect anomalies – for instance, understanding that SVG attachments are widespread in graphic design emails however are uncommon in different contexts, equivalent to a missed message
Attachment and metadata inspection to establish suspicious patterns, equivalent to an attachment title matching the recipientās e mail deal with, and mismatch between a senderās show title and the From deal with
Superior pure language processing (NLP)to research the e-mail content material, in search of proof that differentiates professional communication from phishing makes an attempt
Zero belief and holistic analysis thatanalyzes all elements, together with contextual clues and metadata anomalies, and efficiently quarantines threats, even when an e mail has already handed all customary authentication checks, equivalent to these despatched from compromised trusted accounts
Our Menace Analysis group believes SVG phishing attachments will type a big phishing menace all through 2025. In addition to deploying superior e mail safety defenses, additionally it is necessary to proceed to put money into personalised coaching and training to successfully handle the human threat related to phishing.
