A KnowBe4 Menace Labs Publication
Authors: James Dyer and Cameron Sweeney
The KnowBe4 Menace Analysis crew has noticed a sustained improve in using Scalable Vector Graphics (SVG) information to obfuscate malicious payloads.
SVGs are vector primarily based, somewhat than pixel-based like PNGs and JPGs. This implies the graphic parts could be scaled up with out lack of high quality – making them excellent for sharing graphics, corresponding to logos and icons, by way of e-mail.
In a now well-established sample (assume QR codes and quishing assaults), cybercriminals are trying to benefit from the rising use of this file sort, hoping familiarity will result in complacency within the targets of their phishing assaults.
As we’ll additionally talk about later, SVG information supply technical benefits to cybercriminals seeking to evade conventional e-mail safety filters.
Our Menace Analysis crew analyzed phishing emails despatched between January 1st and March fifth, 2025, discovering that SVG information accounted for six.6% of malicious attachments in phishing emails detected by KnowBe4 Defend. This can be a 245% improve when in comparison with assaults despatched between October 1st and December thirty first, 2024, throughout which period SVGs made up just one.9%. The biggest spike up to now occurred on March 4th, with SVGs accounting for 29.5% of all malicious attachments.
When analyzing these assaults, our crew found that two main phishing campaigns contributed to this improve.
Evaluation of Two SVG Phishing Campaigns
All assaults on this weblog had been recognized and neutralized by KnowBe4 Defend and analyzed by our Menace Analysis crew.
Vector and kind: E-mail phishing
Main methods: Malicious attachments obfuscated utilizing SVG information
Targets: World
Platform: Microsoft 365
Bypassed native and SEG detection: Sure
Marketing campaign 1: SVGs utilized in polymorphic assaults
This marketing campaign entails phishing emails utilizing SVG attachments with polymorphic file names.
The topic line is designed to look like a routine system automated e-mail (“e_Portal_Server_Notice
When opened, the SVG attachment is loaded within the recipient’s net browser and comprises a clickable clear rectangle. For many individuals, an automated response when offered with a clean webpage is to click on on it – a pure impulse that, on this case, strikes the assault ahead. If the person clicks on the rectangle, they’re redirected to a credential harvesting phishing web site that makes use of Microsoft branding.
The phishing emails use a mix of superior obfuscation methods to assist them bypass the signature-based detection current in conventional e-mail safety products, corresponding to safe e-mail gateways (SEGs).
Each the topic and attachment names are polymorphic, altering with every phishing e-mail to keep away from hash-based detection (the lookup for recognized dangerous signatures utilized by SEGs). The topic line additionally comprises the identical textual content because the identify of the attachment in an try to enhance the e-mail’s look of legitimacy. Moreover, the malicious hyperlink inside the SVG is encoded with the phishing area and the recipient’s e-mail, which implies the JavaScript malware inside the SVG may also be classed as polymorphic.
The e-mail physique within the assault proven beneath comprises restricted textual content, however is crammed with quite a few line breaks and a benign e-mail footer on the backside. This system goals to make the assault seem much less suspicious to some filtering know-how that makes use of the character depend to find out whether or not an e-mail message is suspicious, in addition to doubtlessly neutralize some pure language processing (NLP) detection. Right here, our researchers consider the cybercriminal makes use of the benign footer to govern e-mail safety detection software program, whereas the road breaks doubtlessly conceal it from the recipient’s view, relying on the e-mail preview out there.
Phishing assault detected by KnowBe4 Defend with malicious SVG file attachment that includes polymorphic file identify.
Marketing campaign 2: Missed messages hiding malicious JavaScript
The second marketing campaign contains a “missed message” phishing e-mail, the place the goal is prompted to open an attachment to hearken to a voice message following a missed name. The SVG attachment comprises JavaScript that, as soon as clicked, mechanically hundreds a phishing web site on the goal’s machine.
This marketing campaign contains a excessive degree of personalization, designed to lure the sufferer right into a false sense of safety. The recipient’s e-mail deal with is repeated within the file identify and the physique of the e-mail. Moreover, the JavaScript within the payload dynamically appends the recipient’s e-mail deal with as a question parameter to a credential harvesting web site (consequently tagging the harvested password to a particular person) and prefills the shape with the goal’s e-mail deal with. This will increase the chance they’ll be deceived by the assault, because the goal has much less time to consider what they’re doing earlier than they enter their Microsoft password.
Just like the earlier assault, the phishing e-mail proven beneath was additionally despatched from a compromised account that allowed it to look respectable to authentication protocols and go DMARC checks. The e-mail additionally options model impersonation for RingCentral – a trusted communication software program that’s utilized by the goal’s group – which additional enhances its look of credibility.
Lastly, the cybercriminal manipulates the structure of the e-mail, forcing Microsoft’s exterior e-mail banner to maneuver from the highest of the e-mail to the underside. That is achieved by modifying the HTML with further clean areas and customized styling to regulate the margins and padding to maneuver the
part of the code that comprises the warning banner to the underside of the e-mail. Inline CSS can be used to stop the banner from transferring again to the unique place.That is accomplished to divert the recipient’s consideration away from the message that prompts them to look at the e-mail extra intently and to not open unknown attachments. KnowBe4 Defend’s banners make the most of anti-manipulation methods and weren’t affected by this.
Phishing assault detected by KnowBe4 Defend with malicious SVG file attachment, that includes the goal’s e-mail within the attachment identify and physique copy.
Credential harvesting web site designed to steal Microsoft logins, with goal’s e-mail deal with prefilled.
The Rising Menace of SVGs
SVG information are inherently visible and are sometimes trusted in the identical method as easy pictures. Nonetheless, not like conventional picture information, the XML construction of SVGs signifies that they can be utilized by cybercriminals to include scripts that stay invisible to customers and a few virus scanners. This dynamic conduct mixed with the pure attraction of high-quality visuals makes SVGs a potent phishing menace.
Whereas HTML smuggling is a well-known method that embeds dangerous code in HTML information to bypass safety filters, SVG phishing is arguably much more harmful. SVGs use the identical idea of smuggling code, however their integration into a well-recognized picture format makes them much less conspicuous and, consequently, much less ceaselessly scrutinized by conventional defenses. This superior methodology is much less widely known, that means that many organizations and safety merchandise may not be adequately ready to detect or mitigate the menace.
Evading Detection by Safe E-mail Gateways (SEGs)
Many e-mail safety filters, like SEGs, and endpoint safety methods primarily scrutinize file sorts usually related to executable code like EXE or HTML, in addition to extra conventional file codecs, corresponding to ZIPs, PDFs, DOCs, JPGs and PNGs. Since SVGs are generally assumed to be “protected” file sorts, they might bypass these checks to permit malicious information to be delivered.
SVGs are additionally basically completely different to those different file sorts, enabling them to evade conventional detection mechanisms in different methods:
- Textual content-based format: SVGs are XML-based and seem primarily as textual content. Many SEGs deal with them as benign picture information somewhat than executable content material
- Embedded code and obfuscation: Attackers can embed JavaScript and different lively parts inside an SVG, which isn’t attainable with different picture file sorts. By utilizing methods like Base64 encoding and dynamic string meeting, the malicious code is hidden from static scanners that aren’t designed to parse embedded scripts
- Payload revealed on execution: Most SEGs have restricted parsing capabilities and don’t totally execute or examine the embedded scripts inside SVG information. The malicious payload solely reveals itself when the file is rendered in a browser, bypassing the SEG’s detection mechanisms
- Look of legitimacy: On condition that SVGs are extensively utilized in net and graphic design, these information are sometimes handed off as respectable pictures, decreasing the chance that they’ll be flagged as suspicious by automated filters
Offering a number of avenues for assault
SVGs additionally allow attackers to make the most of a number of completely different methods inside their assaults. This versatility is driving the elevated use of this attachment sort.
Injecting Dangerous Code
An attacker can embed malicious JavaScript inside an SVG file (as seen within the second instance analyzed on this publish). When opened in a browser, this code can mechanically redirect the person to a fraudulent web site. Alternatively, the script may redirect to a website that prompts for different delicate data or initiates a malware obtain.
Information Exfiltration
Embedded scripts can be utilized to silently accumulate and ship delicate data, corresponding to login credentials or private information, to an exterior server. For instance, a malicious SVG would possibly embrace code that screens person inputs, corresponding to keystrokes entered right into a login type, after which sends this information by way of an HTTP request to an attacker-controlled server. This might end result within the unauthorized assortment of credentials, private particulars, or different confidential data.
Undetected Actions
SVG information despatched as attachments are usually thought to be innocent, static pictures. This benign look signifies that executed payloads can go unnoticed. As a result of each customers and lots of e-mail safety filters assume that picture attachments are non-executable, the embedded malicious code can function covertly with out triggering normal safety alerts.
That is an instance of a hidden code snippet from a malicious SVG despatched to a KnowBe4 Defend buyer (which we detected).
JavaScript payload that was hidden inside an SVG attachment to a phishing e-mail detected by KnowBe4 Defend.
The code comprises three key options:
Methods to Detect Phishing Assaults with SVG Attachments
As we’ve seen, one of many points of interest for utilizing SVG information in phishing assaults is their skill to get by means of conventional e-mail safety defenses, notably SEGs. Consequently, organizations want to make sure they’ve technical measures in place that may catch missed threats, using:
- Contextual evaluation to detect anomalies – for instance, understanding that SVG attachments are widespread in graphic design emails however are uncommon in different contexts, corresponding to a missed message
- Attachment and metadata inspection to determine suspicious patterns, corresponding to an attachment identify matching the recipient’s e-mail deal with, and mismatch between a sender’s show identify and the From deal with
- Superior pure language processing (NLP) to research the e-mail content material, searching for proof that differentiates respectable communication from phishing makes an attempt
- Zero belief and holistic analysis that analyzes all elements, together with contextual clues and metadata anomalies, and efficiently quarantines threats, even when an e-mail has already handed all normal authentication checks, corresponding to these despatched from compromised trusted accounts
Our Menace Analysis crew believes SVG phishing attachments will type a major phishing menace all through 2025. In addition to deploying superior e-mail safety defenses, additionally it is necessary to proceed to put money into personalised coaching and training to successfully handle the human threat related to phishing.
