SVG files are now part of the sophisticated toolkit utilized by phishers to infiltrate user systems, utilizing their seemingly innocuous nature to bypass traditional email security defenses. A recent analysis highlighted campaigns leveraging SVG files designed to evade detection mechanisms reliant on URL and attachment scanning. One such report noted a specific uptick in these attacks targeting corporate users across several sectors, effectively avoiding detection by masquerading as legitimate communications.

Campaign or TTP Overview

The use of SVG files in phishing is not entirely new, but the frequency and sophistication of these attacks have increased. Recently, targeted campaigns hitting financial and healthcare sectors have been observed, utilizing SVGs attached to phishing emails. These attacks primarily occurred between June and September 2023, with particular focus on firms with robust URL filtering systems in place.

The threat actors remain largely unidentified; however, characteristics suggest they are adept at evading multi-layered defenses. Reports indicated that multiple organizations found SVG-phishing attempts in their spam folders, indicating some level of defense bypass, necessitating further investigation and response.

How It Was Built

The attack sequence typically begins with an email that appears routine or expected. Subject lines often reference pending invoices or meeting schedules, intended to compel immediate action. For instance, a common subject might be:

Subject: Invoice Payment - Ref #67829 Due Today

The sender address is crafted to mimic known contacts within the target’s network, such as billing@acmecorp-finance.com, exploiting trust via domain manipulation.

The SVG file itself is embedded within the email, leveraging its ability to contain JavaScript and other embedded objects. When opened, the SVG executes a script that redirects the user to a crafted phishing site that mirrors login portals or financial transaction screens. The legitimacy is further masked by using subdomains that appear similar to those of legitimate business partners, such as:

https://secure-login.acmeinvoice.com/verify

The phishing site itself is a near-perfect replica of the target organization’s portal. The user is prompted to reauthenticate, inputting credentials that are then harvested by the attacker for potential malicious use.

Why It Worked

SVG complexity plays a core role here. Traditional email security platforms focus heavily on detecting suspicious URLs or recognizable attachment types like executables or compressed files. SVGs, being vector files predominantly used for graphics, often evade these filters.

The authenticity of sender details is another factor. Utilizing email addresses that mimic internal domain patterns builds a trust bridge with the recipient, lowering suspicion. The realistic subject lines combined with perceived urgency compel recipients to act promptly, overshadowing cautious behavior.

Finally, the dynamic redirect capabilities of SVGs mean recipients are taken to hyper-realistic phishing sites. These sites are specifically tailored to avoid resonance with generic lists of blocked domains, making them highly effective until reported.

Operator Takeaways

For red team operators, the integration of SVG files within phishing campaigns offers an advanced approach to test detection limits. These files can be used to gauge the resilience of current filtering systems, particularly focusing on the security checks overlooked by relying solely on traditional mechanisms. Consider including SVG payloads in your test campaigns to assess and enhance detection capabilities.

Additionally, crafting sender domains that accurately mimic the target’s internal structure, combined with high-contextuality lures reflecting current business operations, will drive higher engagement rates and reveal gaps in user training.

Good / Better / Best

Good: Handle SVGs with simple embedded URLs that divert to a straightforward phishing page without heavy customization. This serves as a baseline to test basic evasive capabilities against security screens.

Better: Employ SVGs utilizing JavaScript to create script-driven redirects that enhance the phish page’s adaptability to user interactions and conditions, such as device type or time of access, ensuring it dynamically adjusts to appear more legitimate.

Best: Integrated SVG strategies that not only redirect but also engage victims through crafted behavioral emulations, leveraging data mined from open sources about victim working habits. Phishing pages could incorporate personalized user greetings or simulate work-related platforms to deepen legitimacy and trust.

References

• SANS Internet Storm Center
• Palo Alto Networks Unit 42 Blog

Related Reading

• Incorporating Scalable Vector Graphics (SVG) in Phishing Campaigns
• Leveraging SVG Files in Phishing: Techniques and Countermeasures
• Integrating Vulnerability Exploitation into Phishing Campaigns
• Mastering Phishing Payload Delivery: Techniques and Strategies

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.