{ "id": "e9100d8a-1ddd-4b0b-a5cf-93c997d5b957", "created_at": "2026-04-06T00:16:44.57597Z", "updated_at": "2026-04-10T13:12:38.066574Z", "deleted_at": null, "sha1_hash": "a5e0c6624870866ffa611335c6f19fd7b4e05db1", "title": "Phishing emails increasingly use SVG attachments to evade detection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3912761, "plain_text": "Phishing emails increasingly use SVG attachments to evade detection\r\nBy Lawrence Abrams\r\nPublished: 2024-11-17 · Archived: 2026-04-05 21:39:41 UTC\r\nThreat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware\r\nwhile evading detection.\r\nMost images on the web are JPG or PNG files, which are made of grids of tiny squares called pixels. Each pixel has a\r\nspecific color value, and together, these pixels form the entire image.\r\nSVG, or Scalable Vector Graphics, displays images differently, as instead of using pixels, the images are created\r\nthrough lines, shapes, and text described in textual mathematical formulas in the code.\r\nhttps://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\nFor example, the following text will create a rectangle, a circle, a link, and some text:\n![SVG Image](data:image/svg+xml;base64,PHN2ZyBoZWlnaHQ9IjIwMCIgd2lkdGg9IjIwMCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KIAogPHJlY3QgeT0iMTAiIHN0cm9rZS13aWR0aD0iMiIgc3Ryb2tlPSJibGFjayIgZmlsbD0iYmx1ZSIgeD0iMTAiIHdpZHRoPSIxMDAiIGhlaWdodD0iNTAiIC8+CiAKIDxjaXJjbGUgY3k9IjQwIiBjeD0iMTYwIiBmaWxsPSJyZWQiIHI9IjQwIiAvPgogCiA8bGluZSB4MT0iMTAiIHgyPSIyMDAiIHkyPSIxMDAiIHN0cm9rZT0iZ3JlZW4iIHkxPSIxMDAiIHN0cm9rZS13aWR0aD0iMyIgLz4KIAogPHRleHQgZm9udC1zaXplPSIyMCIgeT0iMTMwIiB4PSI1MCIgZmlsbD0iYmxhY2siPkhlbGxvLCBTVkchPC90ZXh0Pgo8L3N2Zz4=) When opened in a browser, the file will generate the graphics described by the text above.\nHello, SVG!\nGenerated SVG image\nSource: BleepingComputer\nAs these are vector images, they automatically resize without losing any loss to image quality or the shape, making them\nideal for use in browser applications that may have different resolutions.\nUsing SVG attachments to evade detection\nThe use of SVG attachments in phishing campaigns is nothing new, with BleepingComputer reporting about their usage in\nprevious Qbot malware campaigns and as a way to hide malicious scripts.\nHowever, threat actors are increasingly using SVG files in their phishing campaigns according to security researcher\nMalwareHunterTeam, who shared recent samples [1, 2] with BleepingComputer.\nThese samples, and others seen by BleepingComputer, illustrate how versatile SVG attachments can be as they not only\nallow you to display graphics but can also be used to display HTML, using the element, and execute\nJavaScript when the graphic is loaded.\nThis allows threat actors to create SVG attachments that not only display images but also create phishing forms to steal\ncredentials.\nAs shown below, a recent SVG attachment [VirusTotal] displays a fake Excel spreadsheet with a built-in login form, that\nwhen submitted, sends the data to the threat actors.\nhttps://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/\nPage 3 of 5\n\nSVG attachment showing a phishing form\r\nSource: BleepingComputer\r\nOther SVG attachments used in a recent campaign [VirusTotal] pretend to be official documents or requests for more\r\ninformation, prompting you to click the download button, which then downloads malware from a remote site.\r\nSVG attachment used to distribute malware\r\nSource: BleepingComputer\r\nOther campaigns utilize SVG attachments and embedded JavaScript to automatically redirect browsers to sites hosting\r\nphishing forms when the image is opened.\r\nThe problem is that since these files are mostly just textual representations of images, they tend not to be detected by\r\nsecurity software that often. From samples seen by BleepingComputer and uploaded to VirusTotal, at the most, they have\r\none or two detections by security software.\r\nhttps://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/\r\nPage 4 of 5\n\nWith that said, receiving an SVG attachment is not common for legitimate emails, and should immediately be treated with\r\nsuspicion.\r\nUnless you are a developer and expect to receive these types of attachments, it is safer to delete any emails containing them.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/\r\nhttps://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/" ], "report_names": [ "phishing-emails-increasingly-use-svg-attachments-to-evade-detection" ], "threat_actors": [], "ts_created_at": 1775434604, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a5e0c6624870866ffa611335c6f19fd7b4e05db1.pdf", "text": "https://archive.orkl.eu/a5e0c6624870866ffa611335c6f19fd7b4e05db1.txt", "img": "https://archive.orkl.eu/a5e0c6624870866ffa611335c6f19fd7b4e05db1.jpg" } }