Threat actors have begun to sophisticatedly weaponize Scalable Vector Graphics (SVG) files, transforming them into a new vector for malware delivery. These malicious SVG files are particularly insidious because they are often perceived as static images by email gateways, allowing them to bypass initial security checks in phishing campaigns. Upon previewing the SVG, embedded, hidden JavaScript executes within the recipient’s browser, initiating an invisible chain of redirects that ultimately funnels victims to attacker-controlled infrastructure. The minimalist nature of the lure emails, often exploiting organizations with weak SPF, DKIM, or DMARC enforcement, further enhances the effectiveness of these attacks.
A key aspect of this attack is its stealth. Since no executable file is dropped onto the system, endpoint security agents typically only observe normal browser activity. This allows threat actors to surreptitiously siphon off credentials from well-crafted, legitimate-looking portals, such as Microsoft 365 look-alikes. This technique represents a significant strategic shift in cyberattacks, as adversaries increasingly weaponize file formats that are natively rendered by browsers. This bypasses the need for social engineering to persuade users to enable macros or run installers, making traditional security controls focused on executables, archives, or scripts largely ineffective.
The infection mechanism itself relies on self-decoding JavaScript smuggling.
Each malicious SVG file embeds an obfuscated payload within its tags, protected by a simple XOR key that evades static scanners. A two-stage routine then reconstructs the malicious redirect at runtime: a short function decrypts the blob, and the Function constructor executes the resulting code directly in memory. This “in-memory” execution means nothing is written to disk, eliminating the need for persistence and making detection incredibly challenging for traditional file-based security solutions.
Furthermore, the revived script dynamically constructs a redirection URL by concatenating a base64-decoded domain (which rotates daily) with a victim-specific token, ensuring targeted redirection. The threat actors also employ geofencing logic, serving benign pages to sandboxes or users outside the intended target region, further complicating analysis and detection.
This level of sophistication highlights the adaptability of threat actors in evading security measures.
Effectively detecting and mitigating this evolving threat requires a more advanced approach. Security solutions must incorporate deep content inspection capabilities that can flag script tags embedded within seemingly image files. Additionally, correlating unusual SVG command-line invocations with email telemetry can provide crucial insights into potential compromises. Until these advanced controls become more widespread and mature, organizations are strongly advised to quarantine unsolicited SVG attachments, enable content disarm and reconstruction (CDR) technologies, and transition their DMARC policies from a monitoring state to a stricter “reject” policy to prevent these malicious emails from reaching inboxes.
Reference: