{
	"id": "fa99c641-bab8-49cf-b2ea-981465f143b5",
	"created_at": "2026-04-06T00:10:58.616932Z",
	"updated_at": "2026-04-10T03:21:31.609234Z",
	"deleted_at": null,
	"sha1_hash": "b26d88b0669615fb020516de297afc8dab453093",
	"title": "Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 969379,
	"plain_text": "Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks\r\nBy Bernard Bautista and Kevin Adriano\r\nPublished: 2025-04-10 · Archived: 2026-04-05 20:06:20 UTC\r\nApril 10, 2025 7 Minute Read\r\nEver thought an image file could be part of a cyber threat? The Trustwave SpiderLabs Email Security team has\r\nidentified a major spike in SVG image-based attacks, where harmless-looking graphics are being used to hide\r\ndangerous links.\r\nThis blog post analyzes the various techniques cybercriminals are using to cleverly weaponize these image files in\r\nphishing attacks and what your organization can do to prevent these pixel-perfect tricks.\r\nBackground of Image-based Attacks\r\nCybercriminals have long leveraged image-based attacks to evade security defenses. One of the earliest examples\r\nof this was image spam in the early 2000s which emerged to bypass traditional text-based detections. Over the\r\nfollowing years, attackers adopted new image-based techniques, notably QR-code phishing during the 2010s,\r\nwhich grew significantly and became a widespread threat by 2023.\r\nAlso during the 2010s, threat actors have used steganography - the practice of hiding data within another file or\r\nmedia — to conceal malicious code or stolen data within image files.\r\nIn 2017, Trustwave SpiderLabs identified another form of image-based attack via SVG files to embed scripts that\r\nwill download Ursnif malware from a remote resource.\r\nRise in SVG-based Threats, Driven by PhaaS platforms\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 1 of 10\n\nFigure 1. Monthly volume of email threats with SVG attachments from our spam traps over the past 12 months\r\n(April 2024 – March 2025).\r\nSVG-based attacks have sharply pivoted toward phishing campaigns, with a staggering 1800% increase in early\r\n2025 compared to data collected since April 2024. A notable surge in campaigns was observed in Q1 of 2025,\r\npeaking in March. These are driven largely by the emergence of Attack-in-the-middle (AITM) Phishing-as-a-Service (PhaaS) platforms such as Tycoon2FA, which have significantly amplified the effectiveness and\r\nprevalence of these deceptive tactics.\r\nWhat is an SVG File?\r\nSVG (Scalable Vector Graphics) files are vector-based images commonly used for crisp logos, icons, and graphics\r\ndue to their ability to scale without losing quality. Unlike typical image formats like JPEG or PNG, SVG files are\r\nbased on XML (Extensible Markup Language), allowing them to contain interactive elements and scripts. This\r\nflexibility has made SVG files increasingly popular across websites, applications, and digital marketing platforms,\r\nserving diverse visual needs efficiently.\r\nExample SVG:\r\nThe example code below is a benign SVG file that renders the Microsoft logo. It utilizes the   element to define\r\nthe shapes and colors of the logo's graphical components.\r\nFigure 2. Example benign SVG code that renders a Microsoft logo.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 2 of 10\n\nRendered Microsoft logo in SVG:\r\nFigure 3. The rendered SVG Microsoft logo.\r\nHow Cybercriminals Exploit SVG Files for Attacks\r\nWhile SVG (Scalable Vector Graphics) files are widely used in web design and branding, their ability to embed\r\nJavaScript also introduces serious cybersecurity risks.\r\nCybercriminals exploit this feature by inserting malicious scripts directly into SVG files. These scripts can execute\r\nautomatically upon opening the file, enabling a wide range of cyberattacks, including unauthorized system access,\r\ndata theft, identity compromise, and leakage of sensitive information.\r\nThe primary cybersecurity risks posed by malicious SVG files include:\r\nAutomatic execution of concealed malicious scripts without explicit user interaction.\r\nDifficulty for conventional security filters and antivirus tools to detect and block threats effectively.\r\nFalse sense of safety among users who typically view SVG files as harmless image content\r\nFile Comparison: SVG vs. PDF, DOC, HTML\r\nTo better understand the threat of SVG phishing, it is helpful to compare it with other common phishing file\r\nformats such as PDF, DOC, and HTML. This comparison helps evaluate the relative risks, delivery methods, and\r\neffectiveness of each format in bypassing security measures and deceiving users.\r\nSVG Files\r\nSVG phishing is highly effective because SVGs can embed JavaScript that executes automatically. Their harmless\r\nappearance and the lack of stringent security checks further heighten their appeal as phishing vectors.\r\nPDF Files\r\nPDF files are frequently employed in phishing attacks due to their ubiquity in business and official\r\ncommunications. Although PDFs can embed malicious links or scripts, executing these threats typically requires\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 3 of 10\n\nuser interaction, such as clicking a link or button within the document. Moreover, PDFs often undergo rigorous\r\nscanning by security software, diminishing their effectiveness compared to SVG files.\r\nDOC Files\r\nMicrosoft Word documents (DOC) commonly feature phishing attempts using embedded hyperlinks paired with\r\nenticing text or images. These links are crafted to appear legitimate and urge users to click, directing them toward\r\nphishing websites designed to capture credentials. Unlike SVGs, DOC files do not inherently execute scripts\r\nautomatically unless part of a macro-based attack and rely heavily on user engagement and trust.\r\nHTML Files\r\nHTML phishing leverages embedded scripts that execute directly in browsers, often involving complex\r\nobfuscation techniques. Despite their direct threat potential, users are usually more cautious with HTML\r\nattachments due to increased awareness about their associated risks.\r\nTable 1. Summary of Comparison\r\nFigure 4. Table featuring Summary of Comparison between SVG, PDF, Doc and HTML.\r\nBrowser and Email Client Handling of SVG Files\r\nWeb browsers such as Chrome, Firefox, Safari, and Edge natively handle SVG files and automatically execute\r\nembedded JavaScript without issuing security alerts. This makes SVG phishing highly effective, as users receive\r\nminimal warning about the potential risks.\r\nIn contrast, desktop email clients like Outlook and Thunderbird generally do not execute scripts within SVG files.\r\nInstead, they prompt users to open these files in an external browser, inadvertently increasing phishing risks by\r\ntransferring the attack vector to a less secure environment.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 4 of 10\n\nFigure 5. SVG-Based Phishing Attack Flow.\r\nIn-the-Wild Campaigns\r\nWhile HTML and PDF attachments remain popular in phishing campaigns due to their versatility, recent activity\r\nreveals a notable shift toward the use of SVG files as an alternative delivery mechanism. This lightweight, text-based image format is increasingly exploited by threat actors to embed JavaScript-based redirection, allowing\r\nthem to act as stealthy intermediaries that funnel victims to credential-harvesting pages while evading traditional\r\nsecurity filters.\r\nThis technique has been observed across campaigns linked to AiTM PhaaS platforms such as Tycoon2FA,\r\nMamba2FA, and Sneaky2FA—all of which specialize in intercepting credentials and bypassing multi-factor\r\nauthentication.\r\nIn one observed campaign (figure 6), attackers mimic a Microsoft Teams voicemail notification to lure victims\r\ninto downloading a suspicious attachment. The phishing email carries a subject and body text resembling a\r\nlegitimate Teams alert.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 5 of 10\n\nFigure 6. Fake Microsoft Teams alert email with a deceptive voicemail message prompt.\r\nThe attachment is deceptively named to appear like an audio file. Despite its .svg extension, the file is crafted to\r\nappear like a voice message. When clicked, it executes an embedded redirection code that leads users to a fake\r\nOffice 365 login page.\r\nThis redirection is achieved through the abuse of the SVG    element, which allows HTML and JavaScript to run\r\ninside the image. The SVG includes obfuscated script content encoded in base64, making it harder for traditional\r\nemail security tools to detect.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 6 of 10\n\nFigure 7. Obfuscated JavaScript inside an SVG file is used to redirect victims to a phishing site.\r\nAs soon as the SVG loads, the script dynamically decodes the URL and appends the victim’s email as a fragment\r\nidentifier. This method helps bypass email filters by hiding suspicious code inside an innocent-looking .svg file.\r\nThe spoofed landing page is convincingly designed to steal user credentials under the guise of M365 login.\r\nFigure 8. Fake Office 365 login page designed to steal user credentials.\r\nFurther investigation linked this campaign to the Mamba2FA Phishing-as-a-Service (PhaaS) platform. Mamba2FA\r\nis known for its advanced phishing kits and MFA-bypass capabilities, offering phishing operators all-in-one\r\nsolutions to intercept and steal credentials even in protected environments.\r\nOther Variants Observed in the Wild\r\nWhile the core delivery method remains consistent, embedding JavaScript within SVG files to trigger redirects,\r\nthe implementations vary widely.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 7 of 10\n\nSome campaigns use deceptive SVG icons, such as logos or cloud document previews, to lure clicks. Others\r\nemploy different obfuscation layers, including base64 encoding, character fragmentation, JavaScript encoding\r\ntricks, and junk comments inserted throughout the code to evade detection.\r\nThe redirect destinations also differ, ranging from fake login pages to credential-harvesting gateways tied to\r\nvarious phishing kits and infrastructure.\r\nVariant 1. Obfuscated SVG script used by Tycoon2FA Phishing-as-a-Service\r\nThis SVG phishing variant conceals its malicious URL through multiple obfuscation layers. Appearing as a\r\nstandard vector graphic with dimensions of 400×250, it contains embedded JavaScript within a CDATA-wrapped\r\nblock.\r\nCDATA (Character Data) is an XML construct that allows raw text, including special characters like angle\r\nbrackets and ampersands, to be embedded without being parsed. In this case, it enables attackers to insert\r\nexecutable JavaScript directly into the SVG without breaking the structure, helping hide the payload from basic\r\ninspection.\r\nFigure 9. Embedded SVG script with multiple layers of encoding designed to conceal its phishing URL from\r\ndetection.\r\nThe script employs ROT13 encryption, Base64 decoding, and XOR encryption with a specific key to ensure the\r\nphishing URL remains hidden until execution. Upon execution, it redirects users to a phishing destination,\r\nautomatically appending the target email as immediate input on the phishing page.\r\nVariant 2. Logo-Based Staging and Redirect Technique\r\nThis SVG file combines graphical content with an embedded redirection script, creating a seemingly harmless\r\nimage that covertly navigates users to another website.\r\nThe file defines an SVG image with specific dimensions (234×48 pixels) and a defined viewBox. It uses multiple \r\n elements to form shapes or text, all rendered in a uniform color.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 8 of 10\n\nFigure 10. SVG file combining both the graphical content and embedded redirection script.\r\nEmbedded within a CDATA-wrapped block, the JavaScript code defines a redirect function that sets a specific\r\nURL target. When the SVG loads in the browser (triggered by window.onload), the script automatically executes,\r\nimmediately redirecting users to the intended phishing destination, which in this case, is a Google Drawings page.\r\nFigure 11 shows an SVG test file we created to demonstrate browser behavior when an SVG file with a redirection\r\nscript is clicked. Via browser, it initially renders the Microsoft logo and then automatically redirects to a Google\r\nDrawings page like figure 10.\r\nFigure 11. Clip showing SVG test file with logo graphics and automatic URL redirection.\r\nThis SVG is a prime example of how visual content can serve as a cover for JavaScript-based redirection. While\r\nthe image renders correctly, its hidden behavior underlines the importance of scrutinizing files that incorporate\r\nscript elements.\r\nConclusion\r\nThe rise in SVG phishing suggests that threat actors are continuously expanding their tactics to bypass security\r\nmeasures beyond QR codes and the traditional methods, including links, HTML, and document-based attacks.\r\nMany of these campaigns are facilitated by phishing kits that operate as PhaaS platforms, making them more\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 9 of 10\n\naccessible and scalable for cybercriminals. Awareness and proactive security measures are vital in combating this\r\nsubtle yet increasingly prevalent threat.\r\nTo effectively combat this increasingly prevalent threat, users and organizations should:\r\nConsider blocking or flagging SVG attachments: evaluate the option of blocking emails with SVG\r\nattachments or, at a minimum, flagging them with a warning.\r\nBe cautious with attachments and links: treat unexpected files and embedded links with suspicion,\r\nespecially if they come from unknown or unverified sources.\r\nVerify authenticity: double-check senders and content, especially with urgent or unsolicited messages.\r\nTrain employees regularly: provide ongoing education on phishing trends and techniques to help users\r\nrecognize and respond to threats.\r\nUse advanced protection: implement robust filtering and threat-detection systems to proactively block\r\nmalicious threats like SVG-based attachments. Tools like Trustwave MailMarshal offer layered protection\r\nagainst email threats.\r\nImplement MFA methods with extra layers: strengthen defenses with phishing-resistant methods like\r\nFIDO2 and implement conditional access, continuous authentication, and session monitoring.\r\nIndicators of Compromise\r\nhxxps[://]ut[.]sxbmjefh[.]ru/I6wx84s/\r\nhxxps[://]docs[.]google[.]com/drawings/d/1e6oBFLaz3YRncI8qZ--Mg7yh8Uzw8XK0uW5l-z-khKc/preview?pli=1\r\nhxxps[://]grado33closet[.]com/n/?\r\nc3Y9bzM2NV8xX25vbSZyYW5kPVl6WlpSVGs9JnVpZD1VU0VSMDQwMzIwMjVVNDEwMzA0MDM=#\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/"
	],
	"report_names": [
		"pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434258,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b26d88b0669615fb020516de297afc8dab453093.pdf",
		"text": "https://archive.orkl.eu/b26d88b0669615fb020516de297afc8dab453093.txt",
		"img": "https://archive.orkl.eu/b26d88b0669615fb020516de297afc8dab453093.jpg"
	}
}