An Old Vector for New Attacks: How Obfuscated SVG Files Redirect Victims

Scalable Vector Graphics have become a new trend for attackers to bypass spam and phishing detections. The SVG file format is used to display vector graphics and animations that can be resized without losing resolution and by default opens in a web browser on Windows. However, these files use XML to describe the image unlike more common raster image filetypes like JPEG and PNG. The XML in these files introduce the possibility of embedded JavaScript and opens them as an attack vector for malicious activity.

Malicious SVG files use two main tactics for handling user interaction and redirection: inline SVG attachments, which display in the email client with call-to-action buttons that open a browser and redirect to phishing sites, and standalone attachments, which users can open or save separately, triggering automatic redirection in a browser. In this blog we will focus on the second technique which bypasses the email client URL scanning protections.

Recent phishing campaigns using SVG files as an attack vector have had a variety themes; voice notes and messages, printer scans, remittance advice and bank transfer details. In this blog post we will focus on 4 campaigns highlighting the lures and obfuscation techniques used to bypass detections.

Malicious SVG file trend analysis

As seen in figure 1 below, the malicious use of SVG files has skyrocketed in recent days compared with the previous 3 months. In particular, since March 17th we have observed large phishing campaigns with almost 500 messages per day:

Fig. 1 - Total count of SVG files blocked each day from 1 January to 26 March

Now let’s break down how four of these SVG campaigns work:

SVG campaign 10 – 11 March

10th – 11th March
Subject: []VM: [+1786703****] tried reaching you on [11/03] playback available

Fig. 2 - Phishing email with SVG file displaying voicemail lure

This campaign differs from subsequent campaigns as the SVG file contains a considerable amount of actual vector graphics and text to display the voice message lure in the email client. Along with the displayed lure, the SVG file includes an embedded ECMAScript which is a scripting language standard that JavaScript is built upon and is still supported in its base components by browsers almost 30 years after it was first released. 

The ECMAScript contains some basic hex encoding to hide the phishing redirect URL which needs to be opened in a browser to actually take place.

Fig. 3 - SVG file ECMAScript with hex and character decoding

The redirect URL is hosted on the well-known Cloudflare freehost pages[.]dev, the destination URL displays a Cloudflare bot validation page and phishing content was not available at the time of analysis. Recently we have recorded many malicious campaigns using free webhosts such as pages[.]dev which aligns with X-Labs' 2025 Future Insights prediction. 

Campaign IOCs

• Suspicious sender: TOBi@tobincenter[.]org
• SVG sha1: 69c9937ae2ddb81a55385aadb3751e572026fa5d
• Redirect URL: hxxps://abe87c29.46b20494-8a43-4c49-8a51-bc2a41cc9c27-e624a29b-c629-4f2f-99.pages[.]dev/voiceseses
• Destination URL: hxxps://vacilandos[.]com/?&
   

SVG campaign 17 March

17th March
Subject: Reminder: Your Requested Documents for Signature –03849828052163mClWG
This campaign dropped the vector graphics for a simple (yet incorrectly sized) SVG rectangle element with the text: “Loading Electronic Signature Required...”

Fig. 4 - Email with SVG file displaying a basic and incorrectly sized textbox

The SVG file in this campaign has no obfuscation, with a simple setTimeout function and hardcoded phishing redirect URL:

Fig. 5 - SVG file embedded JavaScript with plaintext phishing redirect URL

The phishing URL displays a usual Microsoft login page: 

Fig. 6 - Microsoft phishing page

Campaign IOCs

• Suspicious Sender: info@cazareinfelix[.]ro
• SVG sha1: 443e4d40c3b80741991a24527f50361d7d871932
• Redirect URL: hxxps://jutebagbd[.]com/js/
• Destination URL: zfilesharout[.]one/?lcfvblhu=d0a5bd6ea92dc93e3c16c5848ea533b5c81cf959f5503a42556849e462335f259b-
  123b7848875914b154f81b51bb48c28b1a991497b96af4aa6c5f32b9430e28&qrc=
  
   

SVG campaign 18 March

18th March
Subject: [33sec VN] Received on 3/20/2025

This campaign masquerading as a voicenote  message transcription with the fromname as “VM Recording Msg Transcription for ” has no body text and the attached SVG file.

Fig. 7 -Voice note phishing email with attached SVG
 

Fig. 8 - SVG file with embedded base64 encoded ECMAScript

The SVG contains two ECMAScripts; the first being a dummy script with a comment and the victim email initialized as a variable, the second is a base64 encoded script that is further obfuscated using base64, bytearrays and AES encoding. This decodes to a basic but underused window.location.assign function to redirect the user to a Microsoft credential phishing page.

Fig. 9 - Decoded from base64 ECMAScript initializing variables for cyphertext, iv, key and tag
 

Fig. 10 - AES variables first decoded using character encoding, then base64; followed by AES decryption
 

Fig. 11 - Decoded redirect script using window.location.assign
 

Fig. 12 - Basic Microsoft phishing page

Campaign IOCs

• Suspicious sender: steve@stackgrouprealty[.]com
• SVG sha1: 0360f680476d8ef97c2a7a3f69f86f5fb39e6bd1
• Phishing domain: hxxps://test.landgerichtberlin[.]com/e26WUmNsWmMBi4eF7o6zPs9XEJGwROoWzh7tq3c8kuN0EacOSYJ7oflRfFDPBSCM-
  gti1OpVbZqG6u5wadxJUNntu0vakQL832cHpvlVQyrlGjeKbxgRA2nYfKUnH94oTrjHZTyLDY0IC4oXorFPTqy1jh/verify
   

SVG campaign 26 March

26th March
Subject: DirectDeposit #741844:Payment:Ref 6a62bbb11f25c1924e264d9e4f118375

This campaign is a classic payment scam using the GoTo electronic fax service as a lure, masquerading as a fax from the IRS regarding a direct deposit. The sending infrastructure for this campaign is the legitimate Microsoft Tenant service. This is further proof that legitimate services are increasingly being used in malicious activities.

Fig. 13 - Email from Microsoft tenant with GoTo fax and IRS lures, attached SVG file

The SVG file in this campaign lacks the complexity of the previous highlighted campaign as it seems the attackers using SVG files have returned to more reliable methods of obfuscation. The file contains the usual embedded ECMAScript encoded in base64. The further obfuscation of the phishing URL begins with simple reverse and replace functions, followed by hex decoded into an integer with some addition and division, and finally decoded through character codes.

Fig. 14 - SVG file with embedded base64 encoded ECMAScript

Fig. 15 - Decoded from base 64, ECMAScript uses reverse, replace, has and character encoding

The phishing page has a Cloudflare bot challenge and subsequently displays a Microsoft login panel with a “Payment Receipt” background.

Fig. 16 - Microsoft credential phishing page

Campaign IOCs:

• Microsoft tenant sender domain: @bgfbv.onmicrosoft[.]com
• SVG sha1: 06b446f3ffd972de9d30103ea3f824648a81ce63
• Phishing URL: hxxps://thajy.cotrustsystem[.]com/5jUzdNZUxvqpiCSHk4MTVOxlRnoHw8snAssiTjTKgQvoKpZcEcGFhl6WNz14FYbLPSh-
  ItIrmXoKV7Rux4652Cu0SE9U10DEAdf21tL8bMwqaPbkJt2VcIr8wQim7ea5FeX7RCGlfNgQMGqfOyhBuYL/index?a=YmxhaEBibGFoLmNvbQ%3D%3D

Conclusion:

Attackers are always finding novel ways to bypass protections. In this case, older technologies such as SVG image files and ECMAScripts are being used to redirect victims to more traditional credential phishing pages. X-Labs recent analysis shows a huge increase the use of SVG files embedded with malicious code last month. We can further trace the evolution of the attacks seeing the change in tactics through dropping the display vector images, and from simple obfuscation techniques to more complex AES encoding and back to less simple, but more reliable methods like reverse and replace functions.

Protection statement:

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Delivered via malicious SVG files attached to an email. Emails and embedded URLs are blocked by Forcepoint Email Security analytics and Forcepoint Web Security analytics.
• Stage 3 (Redirect) – Blocked redirected phishing URLs via web analytics
   

IOCs:

Senders:
•    TOBi@tobincenter[.]org
•    info@cazareinfelix[.]ro
•    steve@stackgrouprealty[.]com
•    @bgfbv.onmicrosoft[.]com
 

Redirect URLs:

• hxxps://abe87c29.46b20494-8a43-4c49-8a51-bc2a41cc9c27-e624a29b-c629-4f2f-99.pages[.]dev/voiceseses
• hxxps://jutebagbd[.]com/js/bWFnYXppbmVAcG93ZXJhbmRtb3RvcnlhY2h0LmNvbQ==

Phishing Domains:

• vacilandos[.]com
• zfilesharouts[.]one
• thajy.cotrustsystem[.]com
• test.landgerichtberlin[.]com
   

SVG sha1:

• 69c9937ae2ddb81a55385aadb3751e572026fa5d
• 443e4d40c3b80741991a24527f50361d7d871932
• 0360f680476d8ef97c2a7a3f69f86f5fb39e6bd1
• 06b446f3ffd972de9d30103ea3f824648a81ce63