The problem with sophisticated file formats that can contain executable browser instructions is that they can be weaponized in sophisticated ways

Since late 2024, cybercriminals have exploited the XML-based graphics file format Scalable Vector Graphics (SVG) to bypass anti-spam and anti-phishing protection mechanisms.

The attacks have actually been ramped up substantially since mid-January this year, according to cybersecurity firm Sophos threat researchers.

Besides storing commands to draw resizable vector-based graphics, the file format contains Extensible Markup Language (XML) that can be weaponized to direct a browser to process malicious HTML and URLs leading to spam or phishing content.

The attacks works via a multi-step process:

  1. An email containing a weaponized SVG file as an attachment is sent out to potential victims
  2. The attachment, if downloaded and opened, launches a predefined browser on the victim’s device by default
  3. As the SVG file contains web links or JavaScript code that redirects the browser to a site hosting a phishing kit, the target is exposed to phishing risks
  4. The use of a CloudFlare captcha challenge is used to convince the target that the gated destination is legitimate and therefore safe
  5. Most targets end up on a phishing web page that indicates they must click a button to open or read a document hosted on DocuSign, Dropbox, RingCentral or SharePoint, or Google Voice. Fake but realistic-looking login dialog boxes for these services are then launched to convince the target to enter login credentials
  6. Some of the malicious SVG attachments analyzed even contained password-protected ZIP archives containing a malware executable (an AutoIt script that sets up and installs a keystroke logger) that run on the Windows operating system

As nearly half of the SVG files evaluated in the research had been sent to only one target, with the latter’s email address or name (localized to the language matching the target’s nationality) embedded in the SVG file, it is believed that this this level of customization indicates the attacks are being used as spear-phishing campaigns against targeted organizations.

To stay safe from this type of attack, the public is advised to be wary of SVG attachments in suspicious emails; configure their operating system not to process SVG files directly but open them in a text editor; and observing the usual precautions against phishing.