SVG files are offering cybercriminals an easy way in with new phishing attacks

News
By
published

SVG files could pose a security risk, experts warn

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
(Image credit: Shutterstock / JLStock)
  • Sophos says the use of SVG files in phishing is on the rise
  • SVG files bypass email protection and can display malicious hyperlinks
  • The researchers shared a few tips on how to stay safe

Hackers are using .SVG files in new phishing attacks aimed at stealing people’s Office 365 login credentials, experts have warned.

A report from researchers at Sophos revealed the number of phishing attacks with .SVG files in attachments is on the rise. SVG (Scalable Vector Graphics) files are XML-based images that can be scaled without losing quality, making them ideal for web design, icons, and illustrations. Unlike raster images (e.g., PNG, JPG), SVGs use mathematical equations to define shapes, allowing them to remain crisp at any size.

Since SVG files are usually loaded natively inside a browser, they can contain anchor tags, scripts, and other kinds of active web content.

Defending against SVG attacks

Sophos notes the body of the phishing emails is nothing extraordinary. It’s the usual invoice/new voicemail/signature required type of email, with an .SVG attachment, that usually only displays a sentence or two, and a hyperlink. Sophos says that it’s seen these messages, especially the contents inside the SVG file, grow more sophisticated as the campaign progressed.

In any case, opening the SVG file brings up a new browser tab, and in it a hyperlink. Clicking the hyperlink redirects the victim to a fake Office365 login page that steals the login credentials and relays them to the attackers.

There are two ways to defend against these phishing emails, Sophos said. The best way (aside from not clicking on shady email attachments) is to open a known, benign SVG file on the computer, and instruct Windows to always open it in Notepad, or a similar non-browser program.

“Even if you accidentally click a malicious SVG in the future, it’ll only open in Notepad, throwing another roadblock in front of (potentially) being phished,” Sophos explained. “If, at some point, you find you need to work with real SVG files, follow the same steps again, and choose the graphics application you plan to use.”

The second way is to use a reputable email security program. Sophos said a detection signature was developed for the various kinds of weaponized files it recently observed.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
AI business data center
Cybercriminals are using virtual hard drives to drop RATs in phishing attacks
Close up of a business person using a smartphone.
Watch out, malicious PDF files are being used again in phishing attacks
email
Hidden text "salting" is letting hackers craft devious email attacks to evade detection
Fraude en ligne phishing
Phishing clicks nearly tripled in 2024 as criminals aim for smarter attacks
Latest in Security
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
Cryptocurrencies
Ransomware’s favorite Russian crypto exchange seized by law enforcement
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Latest in News
Apple iPhone 16 Plus
Apple officially delays the AI-infused Siri and admits, ‘It’s going to take us longer than we thought’
The Meta Quest Pro on its charging pad on a desk, in front of a window with the curtain closed
Samsung, Apple and Meta want to use OLED in their next VR headsets – but only Meta has a plan to make it cheap
AMD Ryzen 9000 3D chips
AMD officially announces price and release date for Ryzen 9 9900X3D and 9950X3D processors
Google Pixel 9
There's something strange going on with Google Pixel phone vibrations after the latest update
A masculine hand holding the Nvidia GeForce RTX 5070 Ti
Budget gamers rejoice as Nvidia RTX 5050 and RTX 5060 are rumored to launch in April
The Asus ROG Ally handheld gaming PC
AMD's new driver adds AFMF 2.1 support for improved frame generation - and it could be a game-changer for handheld gaming PCs
More about security
Cryptocurrencies

Ransomware’s favorite Russian crypto exchange seized by law enforcement
Wordpress brand logo on computer screen. Man typing on the keyboard.

Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Brother HL-L2865DW during our review process

Brother denies claims it locked down third-party printer ink cartridges via forced firmware updates
See more latest
Most Popular
Brother HL-L2865DW during our review process
Brother denies claims it locked down third-party printer ink cartridges via forced firmware updates
Telo MT1
The anti-Cybertruck? This new electric pick-up is the size of a Mini and the cutest way to haul your gear
Apple iPhone 16 Plus
Apple officially delays the AI-infused Siri and admits, ‘It’s going to take us longer than we thought’
AMD Ryzen 9000 3D chips
AMD officially announces price and release date for Ryzen 9 9900X3D and 9950X3D processors
Microtik RDS2216 data server
This is Amazon's first foray in servers, and certainly not the last: MicroTik franken-router is powered by the AWS Graviton 1 Arm CPU
The Meta Quest Pro on its charging pad on a desk, in front of a window with the curtain closed
Samsung, Apple and Meta want to use OLED in their next VR headsets – but only Meta has a plan to make it cheap
Cryptocurrencies
Ransomware’s favorite Russian crypto exchange seized by law enforcement
Google Pixel 9
There's something strange going on with Google Pixel phone vibrations after the latest update
NordVPN running on a desktop, mobile devices, Apple TV, a router and a game console
NordVPN reacts to results from its latest security audit
The Asus ROG Ally handheld gaming PC
AMD's new driver adds AFMF 2.1 support for improved frame generation - and it could be a game-changer for handheld gaming PCs