Ontinue has issued a warning about a newly discovered phishing campaign that uses Scalable Vector Graphics (SVG) files in redirect-based attacks designed to bypass traditional detection methods.
Although SVG files are typically harmless image formats, they can carry embedded scripts. Cybercriminals are exploiting this by injecting obfuscated JavaScript code into SVG files, which triggers browser redirects during runtime.
The malicious code is hidden inside a CDATA section within the SVG file and uses a static XOR key to decrypt the payload. Once decrypted, the script generates a redirect command and assembles a destination URL that includes tracking features.
According to Ontinue, this technique does not require file downloads or macros to execute JavaScript. The method also avoids detection by being distributed through spoofed emails that can slip past basic spam filters.
The phishing emails that carry the malicious SVG files often come from domains with weak or misconfigured DKIM, DMARC, and SPF settings. This allows the attackers to impersonate legitimate senders. In some cases, domain names closely resembling those of real organizations were used.
The messages are usually very simple, containing just a few lines urging recipients to preview an image in their browser. The SVG file may be sent as an attachment or hosted externally, with a link included in the message.
To make detection more difficult, the attackers used randomized domains or subdomain structures. These domains have little or no established reputation and appear to be regularly rotated.
The campaign primarily targeted business-to-business service providers, including firms in finance, utility services, human resources, and software-as-a-service. These organizations frequently handle sensitive corporate information, making them attractive targets.
The use of SVG-based smuggling in these attacks allows the embedded script to execute within the browser without requiring user interaction or additional downloads. This evasion strategy helps bypass traditional behavioral and signature-based detection tools.
Ontinue highlights the stealthy nature of the campaign, which combines phishing tactics with browser-level redirection in a way that is both efficient and hard to trace.
Jason Soroko, a senior fellow at Sectigo, emphasized that defenders must treat all content as potentially dangerous, just like executable code.
He recommends treating every incoming SVG file as potentially harmful, removing or blocking script tags, enforcing strict DMARC policies, and automatically deleting suspicious messages. He also advises setting up telemetry to detect browser redirection triggered by changes in window location during image previews. Additional layers of defense such as Safe Links disarmament and monitoring for lookalike domains can further reduce the risk of compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
