Threat actors are increasingly using Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection.

Most images on the web are JPG or PNG files, made up of grids of small squares called pixels. Each pixel has a specific color value and together these pixels make up the entire image.

SVG, or Scalable Vector Graphics, displays images differently because instead of using pixels, images are created using lines, shapes, and text described in text-based mathematical formulas in code.

For example, the following text will create a rectangle, a circle, a link, and some text:

When opened in a browser, the file will generate the graphics described by the text above.

As they are vector images, they are automatically resized without loss of quality or shape, making them ideal for use in browser applications that may have different resolutions.

Use SVG attachments to evade detection

The use of SVG attachments in phishing campaigns is nothing new, with BleepingComputer reporting their use in previous ones Qbot malware campaigns and as a means of hide malicious scripts.

However, according to a security researcher, threat actors are increasingly using SVG files in their phishing campaigns. MalwareHunter Teamwho shared recent samples (1, 2) with BleepingComputer.

These examples, and others seen by BleepingComputer, illustrate how versatile SVG attachments can be as they not only allow you to display graphics, but can also be used to display HTML, using the element and run JavaScript when the chart is loaded.

This allows bad actors to create SVG attachments that not only display images, but also create phishing forms to steal credentials.

As shown below, a recent SVG attachment (VirusTotal) displays a fake Excel spreadsheet with an embedded login form that, once submitted, sends the data to malicious actors.

Other SVG attachments used in a recent campaign (VirusTotal) claim to be official documents or requests for additional information, prompting you to click the download button, which then downloads the malware from a remote site.

Other campaigns use SVG attachments and embedded JavaScript to automatically redirect browsers to sites hosting phishing forms when the image is opened.

The problem is that because these files are mostly just text representations of images, they tend not to be detected often by security software. From the samples seen by BleepingComputer and uploaded to VirusTotal, they have at most one or two detections by security software.

That said, receiving an SVG attachment is not common for legitimate emails and should immediately be treated with suspicion.

Unless you are a developer and expect to receive these types of attachments, it is safest to delete all emails containing them.