Cybersecurity experts have identified a sophisticated new phishing technique that exploits the SVG (Scalable Vector Graphics) file format to deliver malicious HTML content to unsuspecting victims.

This emerging threat, first observed at the beginning of 2025, represents a notable evolution in phishing tactics as attackers leverage the dual nature of SVG files to bypass security measures and trick users into revealing sensitive information.

Unlike conventional image formats such as JPEG or PNG, SVG files utilize XML markup that supports the embedding of JavaScript and HTML code.

This legitimate feature, normally intended to enable interactive graphical elements, has become a vulnerability exploited by malicious actors who embed phishing pages or redirection scripts directly within what appears to be a harmless image attachment.

The attack vector typically begins with an email containing an SVG attachment disguised as something innocuous—often an audio recording or document requiring signature.

When opened, these files execute their embedded code, either displaying an HTML page with deceptive content or using JavaScript to redirect victims to sophisticated phishing sites that mimic legitimate services like Google Voice or Microsoft login portals.

Securelist researchers identified a significant uptick in this attack methodology during March 2025, documenting 2,825 malicious emails utilizing SVG attachments in the first quarter alone.

The upward trend has continued through April, with 1,324 incidents recorded in just the first half of the month—suggesting attackers are finding this technique increasingly effective against existing security measures.

Infection Mechanism Analysis

The technical execution of these attacks showcases a deceptive simplicity. When examining a malicious SVG file in a text editor, security researchers discovered that many contain minimal vector graphics code, instead housing complete HTML documents or JavaScript redirection functions.

One captured sample demonstrates how attackers embed executable code within the standard SVG structure:-

  String.fromCharCode(HicRzF.charCodeAt(0) + (HiCRzF...
]]>

This script-laden SVG, when opened in a web browser, executes immediately and either renders a convincing phishing page contained entirely within the file or launches a connection to an external malicious domain where credentials are harvested.

The technique is particularly effective because the file maintains its “.svg” extension and is flagged as an image/svg+xml content type in email headers, allowing it to evade many attachment filtering systems that primarily block executable formats and traditional HTML attachments.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy