Phishing attacks leveraging HTML code inside SVG files

[harlan4096]

With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML attachments that either host the entire phishing site or use JavaScript to launch it. Lately, we have noticed a new trend where attackers are distributing attachments in SVG format, the kind normally used for storing images.

SVG format

SVG (Scalable Vector Graphics) is a format for describing two-dimensional vector graphics using XML. This is how an SVG file appears when opened in image viewing software.


SVG image

But if you open it in a text editor, you can see the XML markup that describes the image. This markup allows for easy editing of image parameters, eliminating the need for resource-intensive graphics editors.

This is what an SVG file looks like when opened in a text editor

Since SVG is based on XML, it supports JavaScript and HTML, unlike JPEG or PNG. This makes it easier for designers to work with non-graphical content like text, formulas, and interactive elements. However, attackers are exploiting this by embedding scripts with links to phishing pages within the image file.

Sample SVG file with embedded HTML code. The tag introduces HTML markup

Phishing email campaigns leveraging SVG files

At the start of 2025, we observed phishing emails that resembled attacks with an HTML attachment, but instead utilized SVG files.

Continue Reading...