FOCUS MODE
EXTRACT IOC
Threat Research

Scalable Vector Graphics files pose a novel phishing threat

Sophos
Scalable Vector Graphics files pose a novel phishing threat
Criminals are exploiting SVG file attachments in phishing emails to bypass traditional security measures. These SVG files, when opened, can lead users to malicious websites designed to steal login credentials through social engineering tactics. The scheme has gained significant traction since early 2023, utilizing familiar branding and deceptive subject lines to lure victims. Affected: Email users, IT security, Document signing services, Phishing victims, Online service platforms

Keypoints :

  • SVG files are being weaponized as phishing tools that bypass anti-spam measures.
  • The attacks have intensified since January 2023, with many malicious emails containing .svg attachments.
  • Malicious SVG files can contain hyperlinks and scripts, making them more dangerous than typical image formats.
  • Your browser opens SVG files by default, allowing attackers to embed links to phishing sites.
  • Common subject lines include references to legal documents, voicemails, and financial agreements.
  • Many attacks impersonate popular brands, including DocuSign, Microsoft SharePoint, and Google Voice.
  • Targets often receive phishing pages that mimic legitimate login portals for credential harvesting.
  • More sophisticated SVG files may include automatic redirects to phishing sites using JavaScript.
  • To mitigate risks, users can set SVG files to open in non-browser applications like Notepad.
  • Machine learning signals have helped develop detection signatures for these phishing attempts.

MITRE Techniques :

  • T1583.001 – Acquire Infrastructure: Attackers use SVG files and link them to phishing pages hosted on attacker-controlled domains.
  • T1071.001 – Application Layer Protocol: Usage of web protocols for command and control through malicious SVG attachments.
  • T1071.003 – Application Layer Protocol: Manipulation of user awareness via social engineering tactics in the email content.
  • T1203 – Exploitation for Client Execution: SVG files exploit the default opening method to execute links in a browser.
  • T1056.001 – Input Capture: Credential harvesting from users through phishing pages embedded within SVG files.

Indicator of Compromise :

  • [File Type] malicious.svg
  • [URLs] http://example-phishing-site.ru/login
  • [Email] phishing.sender@example.com
  • [Hashes] MD5: abcd1234efgh5678ijkl9012mnopqrstu
  • [File] zipfile.zip (contains a password-protected executable)

Full Story: https://news.sophos.com/en-us/2025/02/05/svg-phishing/

Tags: FINANCIAL, SOCIAL ENGINEERING, BROWSER, EXPLOIT, PHISHING, PASSWORD, EMAIL, CREDENTIAL