Menace actors are quietly turning Scalable Vector Graphics (SVG) recordsdata into precision-guided malware. In a surge of phishing campaigns, seemingly innocuous .svg attachments slip previous safe electronic mail gateways as a result of mail filters regard them as static photographs.
As soon as the recipient merely previews the file, hidden JavaScript executes contained in the browser, triggering an invisible redirect chain that funnels victims to attacker infrastructure.
The Recipient’s perspective (Supply – Ontinue)
The lure emails are minimalist—usually a single icon or “Missed Name” teaser—and exploit organisations which have weak SPF, DKIM or DMARC enforcement.
Because the attachments bypass signature checks, the primary line of defence fails; Ontinue analysts recognized the wave after correlating near-identical SVGs despatched to B2B service suppliers and SaaS distributors, all containing distinct Base64 monitoring strings that map every click on to a workstation.
Since no executable is dropped, endpoint brokers see solely regular browser exercise whereas credentials are siphoned off on well-crafted Microsoft 365 look-alike portals.
Typical M365 Credential Phishing (Supply – Ontinue)
Past credential theft, the method exemplifies a broader strategic pivot: adversaries more and more weaponise file codecs that browsers render natively, eradicating the social-engineering friction of persuading customers to run macros or installers.
Safety controls that target executables, archives or scripts alone discover themselves blind to those pixel-perfect stings.
An infection Mechanism: Self-Decoding JavaScript Smuggling
Every malicious SVG embeds an obfuscated payload between “ tags. A ten-byte XOR key masks the script, irritating static scanners, whereas a two-stage routine reconstructs the redirect at runtime.
First, a brief operate iterates by the encrypted blob, returning plaintext; then it leverages the Operate constructor to execute that code solely in reminiscence.
The revived script concatenates an atob()-decoded area with a victim-specific token earlier than forcing navigation:-
window.location.href = atob(
‘aHR0cHM6Ly93dnJ6LmxmdGt2b2cubmV0L…’ // area rotates day by day
) + token;
As nothing is written to disk, persistence is irrelevant, and geofencing logic ensures sandboxes exterior the goal area obtain benign pages.
Detecting the risk due to this fact hinges on deep content material inspection that flags script tags inside picture recordsdata or on correlating uncommon .svg command-line invocations with electronic mail telemetry.
Till such controls mature, organisations ought to quarantine unsolicited SVGs, allow content material disarm and reconstruction, and transfer DMARC insurance policies from monitoring to reject.
Enhance detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
