What is an SVG File in the Context of Phishing?

In the context of phishing, an SVG file (Scalable Vector Graphic) is a type of image file that is leveraged by attackers to deliver malicious payloads or scripts. SVGs are unique in their ability to embed scripts due to their XML-based foundation, making them a versatile tool for threat actors in phishing scenarios.

An SVG file is a graphical file format used by phishers to embed and deliver malicious scripts covertly within phishing emails or web pages.

Why It Matters

SVG files play a crucial role in phishing attacks due to their dual nature as both an image and a potentially scriptable object. Because they are commonly perceived as benign image files, they can evade basic security filters and present unique challenges to unsuspecting users. Threat actors capitalize on the trust users place in graphics by embedding malicious scripts within SVG files—scripts that activate when the SVG is viewed in a browser.

Operators or targets encounter SVG files during phishing campaigns, often as attachments in emails or as inline content on compromised websites. The ability of SVGs to contain JavaScript makes them particularly dangerous in these contexts, allowing for payload execution without the need for script tags that might otherwise raise red flags.

In Practice

In a phishing campaign, a threat actor might send an email with the subject line, “Invoice for Q4 Services,” including an SVG file attachment named Invoice.svg. When the recipient views the SVG in their browser, embedded JavaScript can execute, redirecting the user to a credential-harvesting site crafted to look like Microsoft Office 365.


&lt;svg xmlns="http://www.w3.org/2000/svg" width="600" height="300"&gt;

  &lt;script type="text/javascript"&gt;

    // Malicious script here

    window.location.href = "http://login-validation.zzz.info/Office365";

  &lt;/script&gt;

  &lt;rect x="50" y="20" width="150" height="150" style="fill:red;"/&gt;

&lt;/svg&gt;

Another example involves using SVG files hosted directly on phishing websites. Attackers generate links with SVG files that create the illusion of legitimate pages. Users clicking on links like securebanking.xyl.com/feedback.svg could unknowingly activate scripts that simulate login forms and transmit entered credentials back to the attackers.


&lt;svg xmlns="http://www.w3.org/2000/svg" width="800" height="600"&gt;

  &lt;a xlink:href="http://malicious-redirect.zzz.com" target="_top"&gt;

    &lt;text x="20" y="35" class="small" fill="blue"&gt;Click here for account verification&lt;/text&gt;

  &lt;/a&gt;

&lt;/svg&gt;

Threat actors also exploit SVGs in spear-phishing campaigns aimed at specific targets, customizing messages and graphics to enhance credibility and increase the likelihood of interaction. By embedding SVGs within HTML emails, attackers can achieve higher engagement rates, particularly when the message is tailored to the recipient’s role or activities within the organization.

Related Terms

Practitioners interested in SVGs in phishing campaigns should also familiarize themselves with social engineering tactics, attachment filtering bypass methods, and file-based exploitation strategies. These concepts deepen the understanding of how SVG files fit into broader phishing methodologies.

References

As detailed by the Internet Storm Center, SVG files have historically been utilized by threat actors to deliver payloads that evade detection. Other sources, such as SVG Phishing Research, highlight case studies in which SVGs are used in high-profile phishing campaigns.