Summary:
Cybercriminals are leveraging scalable vector graphics files in phishing attacks to evade detection by traditional security tools, according to a recent report from Sophos. SVG files, commonly used for rendering vector-based images, contain Extensible Markup Language (XML)-like instructions that allow for the embedding of interactive elements such as hyperlinks and scripts. This capability enables attackers to conceal malicious links within seemingly harmless image files. Because many email security and endpoint protection tools primarily classify SVGs as graphics files, they often fail to inspect them for malicious content. Even when security tools parse SVG files, threat actors exploit unique encoding methods and obfuscation techniques to evade detection.

Sophos researchers first observed the use of malicious SVG attachments in phishing emails in late 2024, with a sharp increase in attacks beginning in mid-January 2025. Attackers deploy a variety of lures to trick recipients into clicking on these files, using subject lines related to voicemails, contract agreements, payment confirmations, and benefits enrollment. These phishing campaigns impersonate well-known services, to increase their credibility. Some versions are tailored to different regions and languages based on the top-level domain of the recipient’s email address.


Security Officer Comments:
The complexity of these attacks varies. Some SVG phishing emails contain only a few lines of hyperlinked text, such as “Click to Open,” while others incorporate visually deceptive elements, including embedded brand logos and images, to convincingly mimic legitimate services. When a victim clicks the embedded link, they are redirected to attacker-controlled phishing pages designed to harvest login credentials and personal information. Because SVG files automatically open in default web browsers on Windows systems, users may not recognize the danger before it’s too late.


The increasing use of SVG-based phishing tactics highlights the need for enhanced security measures, including improved email scanning, endpoint monitoring, and user awareness training. Organizations should update their security controls to inspect and flag potentially malicious SVG files, while users must remain cautious when opening unexpected email attachments, even if they appear to be simple image files.

Suggested Corrections:
To mitigate the risks of SVG-based phishing attacks, organizations and individuals should focus on the following five key measures:

1. Enhance Email Security Filters – Configure email security solutions to inspect SVG attachments for embedded hyperlinks and scripts, ensuring malicious content is detected and flagged.
2. Block or Restrict SVG Attachments – Where feasible, organizations should block inbound emails containing SVG files or convert them into safe formats like PNG or JPEG before delivery.
3. Enable Multi-Factor Authentication (MFA) – Enforce MFA on critical accounts to mitigate the impact of credential theft resulting from phishing attacks.
4. Educate Users on Phishing Risks – Conduct awareness training to help users recognize suspicious SVG attachments, unexpected emails, and common phishing tactics.
5. Use Web Filtering and DNS Protection – Deploy secure web gateways or DNS filtering to block access to known phishing domains and malicious redirect links.

Link(s):
https://news.sophos.com/en-us/2025/02/05/svg-phishing/

https://www.infosecurity-magazine.com/news/cybercriminals-graphics-files/