SVG Attachment Abuse

31st March 2025

By Rikesh Vekaria, Marcin Ulikowski and Mimecast Threat Research Team

Rikesh Vekaria, Marcin Ulikowski, and the Mimecast threat researchers have recently identified several campaigns utilising Scalable Vector Graphics (SVG) attachments in credential phishing attacks. SVG is an XML-based image format that supports embedded JavaScript. This allows for things such as interactivity & animations, event handlers and DOM manipulation using embedded scripts. Threat actors are utilising SVG capabilities to embed malicious JavaScript in files attached to emails which when opened, execute and redirect users to phishing sites or potentially download malware.

A simple example on how this can be used shown below:

Threat actors have previously made use of HTML attachments in a similar way to redirect users to phishing pages; however, this rapid move to SVG files may lead to users thinking an image file could be more harmless than an HTML attachment. SVG attachments are also more likely to not be as vigorously inspected compared to HTML and executables. Looking into the JavaScripts in the SVG files, the research team has identified several types of obfuscation techniques, from Base64 encoding to symmetric cryptography, to evade detection.

There have been several campaigns using this method, one of which uses the lure of a voice message. Once the user opens the attachment, they will be redirected to a login page to listen to the voice note.

A similar example redirects user through multiple stages firstly with a CAPTCHA where the user is required to interact with the page. This technique continues to commonly be used to evade security detections.

The user will then be redirected to another page, requiring the clicking of a button which opens a supposed PDF to get to the final credential harvesting page.

These campaigns were observed in early February and runs at relatively high volumes. Over the last two weeks we’ve seen over 2million detections with the peak around 17th and 18th March.

Mimecast Protection

We have identified several attributes in the recent campaigns which have been added to our detection capabilities. We continue to monitor for changes in techniques used within SVG files.

Targets:

Global, all industries

IOC’s

New Voice Message from Accounts Payable Available To Listen Action Required-Important Crediential Notification

jihancock[.]sterliingasi[.]com
aqra[.]qdjcpol[.]ru
si3[.]kpvjzzh[.]es
testing[.]lannaathai[.]org
jutebagbd[.]com
ceimatarials[.]com

03b23e85b7de4d5389af11db025c4ee2387446d17217ac569485784d3de8b15a 27f81fc31fff3171545925224a53014644e3b3ea0a1ccec508e3a576816fa7e4 5ef2acf3419a3088fa8096f87b2a186bc06c0e9157dcbb7a57da20cf83926c19 78ea3ffd759f8404331b40b1167aec64b723ecdad43dfc807fa398bbc403b485 75a69423bf73f9ade0235d24d46b341d6d1e74e7bd8f851ee3d6f4e9462da0cd

Recommendations

• Assess SVG attachment requirements
  • Audit and identify legitimate business uses for SVG file attachments
  • Adjust your Mimecast Attachment Management policy to specifically block or quarantine attachments with the .svg extension - Consider configuring granular rules based on sender domains, allowing SVGs only from trusted partners if business-critical
  • Train users to never open attachments from unknown or unverified senders
  • Implement a policy requiring verification of the sender via an alternative communication channel before opening unexpected attachments
• User security awareness training
  • Develop specific training modules demonstrating the risks of SVG-based phishing attacks
  • Conduct regular phishing simulations that include SVG-based attack scenarios
• Proactive threat hunting
  • Search email receipt logs using specific filters for the phishing subject lines
  • Review your web security logs daily, focusing on connections to the identified phishing domains