SVG Smuggling - Image Embedded JavaScript Redirect Attacks

July 17, 2025, 7:47 p.m.

Description

Threat actors are increasingly using Scalable Vector Graphics (SVG) files to deliver JavaScript-based redirect attacks. These SVGs contain embedded, obfuscated JavaScript that initiates browser redirects to attacker-controlled infrastructure. The campaign uses email spoofing and impersonation to deliver the SVGs, bypassing traditional file-based detection. The embedded code uses XOR encryption and reconstructs the redirect command at runtime. The attack targets B2B Service Providers, including those handling corporate financial and employee data. Mitigation strategies include implementing DMARC policies, blocking SVG attachments, and enhancing email security measures. The campaign demonstrates a shift towards smuggling techniques that avoid triggering traditional security alerts.

External References

https://www.ontinue.com/resource/blog-svg-smuggling
https://otx.alienvault.com/pulse/6878f6e6ce9d5286edc46238
Tags
obfuscation
phishing
javascript
email spoofing
xor encryption
svg
redirect
2025-07-17

Date

  • Created: July 17, 2025, 1:13 p.m.
  • Published: July 17, 2025, 1:13 p.m.
  • Modified: July 17, 2025, 7:47 p.m.