do son 
Source: Sophos
Sophos has identified a novel phishing technique that leverages Scalable Vector Graphics (SVG) files to bypass anti-spam and anti-phishing protections, allowing attackers to distribute malicious links that lead to credential theft.
According to Sophos, “criminals who conduct phishing attacks over email have ramped up their abuse of a new threat vector designed to bypass existing anti-spam and anti-phishing protection: The use of a graphics file format called SVG.”
SVG files are commonly used for vector-based images and are readable in any modern web browser. Unlike traditional image formats like JPEG or PNG, SVG files contain text-based XML instructions, which can include hyperlinks, scripts, and other active web elements.
Sophos researchers found that malicious SVG attachments in phishing emails contained simple graphics but also included anchor tags linking to external phishing pages.
“The SVG files used in the attacks include some instructions to draw very simple shapes, such as rectangles, but also contain an anchor tag that links to a web page hosted elsewhere,” Sophos explained.
When unsuspecting users double-click an SVG email attachment, the file automatically opens in their default web browser, loading both the vector image and the malicious link. If the victim clicks the embedded link, they are redirected to a credential-harvesting site disguised as a legitimate login portal.
Attackers are using well-crafted social engineering lures in phishing emails to trick recipients into opening the malicious SVG attachments. These emails impersonate well-known brands such as DocuSign, Microsoft SharePoint, Dropbox, and Google Voice to enhance their credibility.
Sophos noted, “Many well-known brands and online services are being abused by these attacks, including DocuSign, Microsoft SharePoint, Dropbox, Google Voice, and RingCentral.”
Sophos researchers observed increasingly sophisticated SVG phishing attacks, including:
- Cloudflare CAPTCHA gates – Victims are required to “prove they’re human” before being redirected to the actual phishing page, making automated security scans ineffective.
- Credential pre-filling – The phishing page autofills the victim’s email address, making it appear legitimate.
- Live phishing templates – Attackers embed live links in the SVG file that point to dynamically generated fake login pages, often impersonating Microsoft 365 or Dropbox.
- JavaScript auto-redirects – In some cases, the SVG file automatically loads the phishing page without requiring a click.
Sophos warns that “the phishing pages were all hosted on attacker-controlled domains, […] nearly all were gated with a CloudFlare CAPTCHA to prevent automated visits.”
The sophistication of these attacks has increased over time, with attackers refining their methods to appear more convincing. Researchers also found localized phishing pages designed to match the language of the targeted user.
Sophos noted, “We eventually found versions that targeted different languages, based on the top-level domain of the recipient. For example, both the email addressed to a target at a Japanese academic institution and its embedded SVG were crafted in Japanese.”
Related Posts:
- SVG Files: The Emerging Vector of Cyber Threats
- SVG Attacks: How GULoader Malware Sneaks into Your Network
- Canva Uncovers Critical Font Vulnerabilities, Exposes Cybersecurity Risks
- Leaked LockBit Tools: Novice Hackers Target Vulnerabilities
- Unpatched Vulnerabilities: Ransomware’s Favorite Entry Point
