Phishing attacks through SVG image files

Issue 2 2025 News & Events, Information Security

Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images. Opening these files leads a user to phishing pages mimicking Google and Microsoft services, aiming to steal login credentials. There was an almost six-fold increase in phishing via SVG files in March 2025 compared to February, and over 4000 of these emails have been detected globally since the beginning of the year.

SVG is a format for describing two-dimensional vector graphics using XML, a markup language that provides rules to define any data. Unlike JPEG or PNG image formats, SVG supports JavaScript and HTML. This makes it easier for designers to work with non-graphical content like text, formulas, and interactive elements. However, attackers exploit this by embedding scripts with links to phishing pages within the image file. Users might open these files out of curiosity, thinking they are images.

The attached SVG file is essentially an HTML page with no graphics description. When opened in a web browser, this file appears as a web page with a link that supposedly points to an audio file. Clicking on this redirects the user to a phishing page mimicking a Google Voice audio recording, with the audio track actually being a static image. Clicking "Play Audio" further redirects users to a corporate email login page, allowing attackers to capture their credentials. This page, too, mentions Google Voice. The page also includes the target company's logo, aiming to lower the user's guard.

In a separate instance, attackers presented an SVG attachment as a document that required review and signature, mimicking a notification from an e-signature service.

Unlike the first example, where the SVG file acted as an HTML page, in this case, it contains JavaScript that, when the file is opened, launches a browser window with another fake login phishing site, this time mimicking Microsoft.

“Phishers are relentlessly exploring new techniques to circumvent detection. They vary their tactics, sometimes employing user redirection to confuse, and other times, experimenting with different attachment formats. Attacks with SVG attachments are showing a clear upward trend. While currently these attacks are relatively basic, with SVG files containing either a phishing link page or a redirection script to a fraudulent site, the use of SVG as a container for malicious content can also be employed in more sophisticated targeted attacks,” comments Roman Dedenok, Anti-Spam Expert at Kaspersky.

In order to avoid becoming a victim of phishing or malicious messages, Kaspersky experts advise the following:

• Only open emails and click links if you are sure you can trust the sender.

• When a sender is legitimate, but the content of the message seems strange, it is worth checking with the sender via an alternative means of communication.

• Check the spelling of a website’s URL if you suspect you are faced with a phishing page. The URL may contain mistakes that are hard to spot at first glance, such as a 1 instead of I or 0 instead of O.

• Use a proven security solution when surfing the web.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
From the editor's desk: Showtime for Securex
Technews Publishing News & Events
We have once again reached the time of year when the security industry focuses on Securex. This issue includes a short preview, with more coming online and via our special Securex Preview news briefs. ...

Read more...
Chubbsafes celebrates 190 years
Gunnebo Safe Storage Africa News & Events Security Services & Risk Management
Chubbsafes marks its 190th anniversary in 2025 and as a highlight of the anniversary celebrations it is launching the Chubbsafes 1835, a limited edition 190th-anniversary collector’s safe.

Read more...
Suprema unveils BioStar Air
Suprema neaMetrics News & Events Access Control & Identity Management Infrastructure
Suprema launches BioStar Air, the first cloud-based access control platform designed to natively support biometric authentication and feature true zero-on-premise architecture. BioStar Air simplifies deployment and scales effortlessly to secure SMBs, multi-branch companies, and mixed-use buildings.

Read more...
New law enforcement request portal
News & Events Security Services & Risk Management
inDrive launches law enforcement request portal in South Africa to support safety investigations. New portal allows authorised South African law enforcement officials to securely request user data related to safety incidents.

Read more...
Igniting standards, powering protection
Securex South Africa News & Events Fire & Safety
Fire safety is more than compliance, it is a critical commitment to protecting lives, assets, and infrastructure. At Firexpo 2025, taking place from 3 to 5 June at Gallagher Convention Centre, that commitment takes centre stage.

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 4 GB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...
The rise of AI-powered cybercrime and defence
Information Security News & Events AI & Data Analytics
Check Point Software Technologies launched its inaugural AI Security Report, offering an in-depth exploration of how cybercriminals are weaponising artificial intelligence (AI), alongside strategic insights defenders need to stay ahead.

Read more...
From the editor's desk: We’ve only just begun
Technews Publishing News & Events
The surveillance market has expanded far beyond the analogue days of just recording and/or monitoring screens. The capabilities of surveillance technology today extend to black screen monitoring with ...

Read more...
SAFPS issues SAPS impersonation scam warning
News & Events Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) is warning the public against a scam in which scammers pose as members of the South African Police Service (SAPS) and trick and intimidate individuals into handing over personal and financial information.

Read more...