An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents.
Security researchers at email security provider Avanan named it “Blank Image.” They explain that the attack allows phishing actors to evade detection of redirect URLs.
The phishing email sent to prospective victims purports to be a document from DocuSign, a widely abused brand as many recipients are familiar with it from their office jobs.
The victim is requested to review and sign the sent document that is named “Scanned Remittance Advice.htm.”
HTML files are popular among phishing actors because they are typically ignored by email security products and thus have higher chances of reaching the target’s inbox.
If a victim clicks on the “View Completed Document” button, they are taken to a genuine DocuSign webpage. However, if they attempt to open the HTML attachment, the ‘Blank Image’ attack is activated.