Ontinue warns of a newly observed phishing campaign leveraging Scalable Vector Graphics (SVG) files in redirect attacks that evade traditional detection.
While considered harmless image formats, SVG files can contain embedded scripts, and threat actors have been abusing this to inject obfuscated JavaScript code leading to browser redirects at runtime.
The malicious code is hidden within a CDATA section of the SVG file and relies on a static XOR key to decrypt a payload at runtime. The decrypted code reconstructs a redirect command and builds a destination URL that also contains tracking functionality.
“JavaScript execution is achieved without requiring file drops or macros, and evasion is further enhanced by distributing the payload via spoofed emails that may pass basic anti-spam filters,” Ontinue says.
The malicious SVG files are delivered via phishing emails that use domains with weak or misconfigured DKIM, DMARC, and SPF records, allowing the attackers to impersonate the sender. In some cases, the attackers have used domain names like those of legitimate entities.
The messages typically have landed in inboxes lacking DKIM records and DMARC policies. The observed emails are minimalistic, with only several lines in the body, instructing the victim to preview the image in the browser. The SVG file is either delivered as an attachment or hosted externally, and a link to it is included in the message.
As part of the campaign, the attackers used domains with a randomized or subdomain-based structure, to hinder static-filtering detection. The domains have low or unknown reputation and appear to be rotated regularly.
The attacks mainly targeted B2B service providers, such as financial and employee services firms, utilities, and software-as-a-service providers, which handle valuable corporate data regularly.
The use of SVG smuggling in these targeted phishing campaigns allows attackers to evade traditional behavioral or signature-based detection, as the embedded script logic triggers the redirection directly in the browser, without user interaction or external downloads.
“This campaign stands out for its use of browser-native redirection without requiring user interaction or external downloads. It bridges the gap between traditional phishing and full malware delivery, making it stealthy and effective,” Ontinue notes.
According to Sectigo senior fellow Jason Soroko, to mitigate these attacks, defenders need to treat content the same way they treat code.
“Treat every inbound SVG as a potential executable. Strip or block script tags. Enforce strict DMARC alignment and auto purge questionable mail. Instrument telemetry to catch browser pivots triggered by window location changes that originate from image previews. Layered controls, like Safe Links content disarmament, and lookalike domain monitoring, will disrupt the simple path attackers now rely on,” Soroko said.
Related: Google Gemini Tricked Into Showing Phishing Message Hidden in Email
Related: 13 Romanians Arrested for Phishing the UK’s Tax Service
Related: Microsoft 365 Direct Send Abused for Phishing
Related: SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols
