Scalable Vector Graphics files pose a novel phishing threat

Feb. 6, 2025, 1:29 a.m.

Description

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and scripts that link to malicious web pages, often disguised as legal documents or voicemails. When victims click on the embedded links, they are directed to phishing pages that mimic popular services like DocuSign, Microsoft SharePoint, and Office365. The attackers use various social engineering techniques and sophisticated methods to capture and exfiltrate user credentials. Some SVG files even contain encoded malware. To protect against this threat, users are advised to change the default program for opening SVG files and be cautious of suspicious emails.

External References

https://github.com/sophoslabs/IoCs/blob/master/20250205_SVGspam.csv
https://news.sophos.com/en-us/2025/02/05/svg-phishing/
https://otx.alienvault.com/pulse/67a3cf46a7d1228270edc618
Tags
phishing
social engineering
credential theft
evasion techniques
2025-02-05
nymeria
file format abuse
svg
browser-based attacks
troj/autoit-dhb
email attachments

Date

  • Created: Feb. 5, 2025, 8:51 p.m.
  • Published: Feb. 5, 2025, 8:51 p.m.
  • Modified: Feb. 6, 2025, 1:29 a.m.

Attack Patterns

  • Nymeria
  • T1102.003
  • T1102.002
  • T1132.001
  • T1553.005
  • T1059.001
  • T1189
  • T1059.007
  • T1056.001
  • T1071.001
  • T1204
  • T1140
  • T1027
  • T1566