Technology

SVG files are offering cybercriminals an easy way in with new phishing attacks

February 7, 2025

Sophos says the use of SVG files in phishing is on the rise
SVG files bypass email protection and can display malicious hyperlinks
The researchers shared a few tips on how to stay safe

Hackers are using .SVG files in new phishing attacks aimed at stealing people’s Office 365 login credentials, experts have warned.

A report from researchers at Sophos revealed the number of phishing attacks with .SVG files in attachments is on the rise. SVG (Scalable Vector Graphics) files are XML-based images that can be scaled without losing quality, making them ideal for web design, icons, and illustrations. Unlike raster images (e.g., PNG, JPG), SVGs use mathematical equations to define shapes, allowing them to remain crisp at any size.

Since SVG files are usually loaded natively inside a browser, they can contain anchor tags, scripts, and other kinds of active web content.

Defending against SVG attacks

Sophos notes the body of the phishing emails is nothing extraordinary. It’s the usual invoice/new voicemail/signature required type of email, with an .SVG attachment, that usually only displays a sentence or two, and a hyperlink. Sophos says that it’s seen these messages, especially the contents inside the SVG file, grow more sophisticated as the campaign progressed.

In any case, opening the SVG file brings up a new browser tab, and in it a hyperlink. Clicking the hyperlink redirects the victim to a fake Office365 login page that steals the login credentials and relays them to the attackers.

There are two ways to defend against these phishing emails, Sophos said. The best way (aside from not clicking on shady email attachments) is to open a known, benign SVG file on the computer, and instruct Windows to always open it in Notepad, or a similar non-browser program.

“Even if you accidentally click a malicious SVG in the future, it’ll only open in Notepad, throwing another roadblock in front of (potentially) being phished,” Sophos explained. “If, at some point, you find you need to work with real SVG files, follow the same steps again, and choose the graphics application you plan to use.”

The second way is to use a reputable email security program. Sophos said a detection signature was developed for the various kinds of weaponized files it recently observed.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar