With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML attachments that either host the entire phishing site or use JavaScript to launch it. Lately, we have noticed a new trend where attackers are distributing attachments in SVG format, the kind normally used for storing images.
SVG format
SVG (Scalable Vector Graphics) is a format for describing two-dimensional vector graphics using XML. This is how an SVG file appears when opened in image viewing software.
SVG image
But if you open it in a text editor, you can see the XML markup that describes the image. This markup allows for easy editing of image parameters, eliminating the need for resource-intensive graphics editors.
This is what an SVG file looks like when opened in a text editor
Since SVG is based on XML, it supports JavaScript and HTML, unlike JPEG or PNG. This makes it easier for designers to work with non-graphical content like text, formulas, and interactive elements. However, attackers are exploiting this by embedding scripts with links to phishing pages within the image file.
Sample SVG file with embedded HTML code. The tag introduces HTML markup
Phishing email campaigns leveraging SVG files
At the start of 2025, we observed phishing emails that resembled attacks with an HTML attachment, but instead utilized SVG files.
Phishing email with an SVG attachment
A review of the email’s source code shows that the attachment is identified as an image type.
The file as displayed in the email body
However, opening the file in a text editor reveals that it is essentially an HTML page with no mention of vector graphics.
Code of the SVG file
In a browser, this file appears as an HTML page with a link that supposedly points to an audio file.
SVG file viewed as HTML
Clicking the link redirects the user to a phishing page masquerading as Google Voice.
Phishing page mimicking Google Voice
The audio track at the top of the page is a static image. Clicking “Play Audio” redirects the user to a corporate email login page, allowing attackers to capture their credentials. This page, too, mentions Google Voice. The page also includes the target company’s logo, aiming to lower the user’s guard.
Login form
In a separate instance, mimicking a notification from an e-signature service, attackers presented an SVG attachment as a document that required review and signature.
Phishing e-signature request
Unlike the first example, where the SVG file acted as an HTML page, in this case it contains JavaScript that, when the file is opened, launches a browser window with a phishing site featuring a fake Microsoft login form.
Code of the SVG file
Phishing login form
Statistics
Our telemetry data indicates a significant increase in SVG campaigns during March 2025. We found 2,825 of these emails in just the first quarter of the year.
Emails with SVG attachments, January through March 2025 (download)
In April, the upward trend continued: in the first half of the month, we detected 1324 emails with SVG attachments – more than two-thirds of March’s figure.
Takeaways
Phishers are relentlessly exploring new techniques to circumvent detection. They vary their tactics, sometimes employing user redirection and text obfuscation, and other times, experimenting with different attachment formats. The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers. Despite not being widespread at the time of this study, SVG attachment attacks are showing a clear upward trend. These attacks, while currently relatively basic – much like HTML attachment scenarios – involve SVG files containing either a phishing link page or a redirection script to a fraudulent site. However, the use of SVG as a container for malicious content can also be employed in more sophisticated targeted attacks.