Threat actors have a new trick: hiding malicious JavaScript inside what looks like an innocent image, according to the Ontinue research team.
A string of phishing campaigns is using SVG (Scalable Vector Graphics) files to smuggle browser redirects past traditional security tools. The result? Stealthy attacks, minimal user interaction, and victims who never see it coming.
Images That Bite
SVGs aren’t just pictures. They’re text-based XML files, which means attackers can slip JavaScript into them without raising alarms. In these campaigns, the SVG files include hidden scripts disguised within script tags, using a format that conceals the actual code content.
Once opened, the file quietly redirects the user to attacker-controlled infrastructure.
The final URLs are built with atob() to decode Base64 strings and executed via window.location.href. Those Base64 chunks likely include tracking identifiers, giving attackers insight into who clicked, and where.
Delivery: Deceptive Simplicity
It starts with a phishing email. The SVG is either attached directly or linked from an external source. The email itself is sparse. A short subject line like “Missed Call,” “ToDo List,” or “Payment Reminder.” Sometimes, just an image and a nudge to open it.
The sender? Spoofed. Many of these emails come from domains with no DKIM, weak SPF, and no DMARC enforcement. Others use lookalike domains that mimic real brands. The simplicity is the point: less content means fewer clues for scanners to catch.
What Makes It Work
This isn’t a typical malware dropper. There’s no executable file, no macro-laced document. Just a browser rendering an SVG. And that’s what makes it effective.
Attackers use:
-
- SVGs to bypass file-type restrictions.
-
- XOR-encrypted payloads to hide logic.
-
- Function constructors and dynamic URL assembly to stay out of sight.
-
- Geofencing to tailor redirects and dodge automated scanners.
The infrastructure shifts often. Domains are low-reputation and short-lived. Subdomain patterns vary. Static filtering has a hard time keeping up.
Who’s Being Targeted?
Primarily B2B service providers. Think SaaS companies, utilities, finance-related firms. Any business accustomed to receiving high volumes of email is fair game. The payload is generic enough to cast a wide net, but is delivered to land with precision.
Not the First, but Sharper Than Most
SVG smuggling isn’t entirely new, but this campaign is a level up. Previous attacks relied on external payload hosting or plain script tags. Here, the JavaScript is encrypted inside the image file, decrypted on the client side, and executed in the browser. No downloads. No prompts. Just silent redirection.
What You Should Do
Harden email
-
- Enforce SPF, DKIM, and DMARC, don’t just publish them.
-
- Block SVG attachments or sanitize them with Content Disarm and Reconstruction (CDR).
-
- Watch for lookalike domains targeting your users.
Improve detection
-
- Flag SVG files containing script logic or encoding functions.
-
- Use advanced threat detection tools that inspect file content deeply, not just metadata.
-
- Leverage browser-based behavior analysis, especially for redirect patterns.
Train your people
-
- Let users know that even image files can be risky.
-
- Include SVG-based lures in your phishing simulations.
Defend with tech
-
- Enable Safe Attachments and Safe Links in Microsoft Defender for Office 365.
-
- Use Zero-hour Auto Purge (ZAP) to pull phishing emails post-delivery.
-
- Build anti-phishing policies that flag suspicious senders or spoof attempts.
Attackers adapt and so must defenders. As payloads get more creative and hide in plain sight, organizations need to rethink what counts as “safe.”
Treat Every Inbound SVG as a Potential Executable
Jason Soroko, Senior Fellow at Sectigo says defenders must collapse the old distinction between code and content. “Treat every inbound SVG as a potential executable. Strip or block script tags. Enforce strict DMARC alignment and auto purge questionable mail. Instrument telemetry to catch browser pivots triggered by window location changes that originate from image previews. Layered controls, like Safe Links content disarmament, and lookalike domain monitoring, will disrupt the simple path attackers now rely on.”
Relying on Complacency
John Bambenek, President at Bambenek Consulting adds that this is a fresh spin on the technique of using image files for delivering suspect content, in this case, malicious PDFs. “The attackers have to rely on complacency (“it’s only an image, it doesn’t execute code”) to lull organizations into accepting this content and getting it on the inside of a network.”
While this report and research is valuable to enterprises, and the search valuable for hunt teams, organizations without a security staff or end consumers will remain vulnerable to conventional cybercrime with this technique, he ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.