Security awareness training programs teach employees to be constantly alert to potential phishing emails, especially emails with file attachments. Most employees will be aware that Office documents can contain macros, which if allowed to run, can download malware onto their device, but they are likely much less suspicious about image files. Image files are far less likely to be malicious; however, there is an image file format that can contain malicious content – SVG files – and they are increasingly being used in phishing campaigns.
An SVG or Scalable Vector Graphics file is XML-based, which means it can be scaled without loss of quality. These file types are commonly used for icons and buttons and are extensively used in graphic design, including for company logos. Image files may seem pretty innocuous, but one of the properties of SVG files, unlike non-scalable image formats such as Jpegs, is they can be created to include scripts, anchor tags, and other types of active web content. When opening an SVG file, unless a computer has been configured to open the file using a specific image program, the file will be opened in a web browser.
One campaign incorporated the SharePoint logo and advised the user that a secure document has been shared through Microsoft SharePoint. The image included a folder icon with the file name “Updated Compensation and Benefits”, and an “open” button that the user is encouraged to click. Clicking that button directs the user to a phishing page where they must enter their credentials to view the file. Those credentials will be captured and used to access the user’s account. Many phishing campaigns that use SVG file attachments include hyperlinks that direct the user to a site that spoofs a well-known brand such as Microsoft to harvest credentials, such as displaying a fake Microsoft 365 login page. These phishing pages have been designed to be indistinguishable from the genuine login prompt and may even autofill the user’s login name into the login prompt.
There are two main advantages to using SVG files in phishing campaigns. First and foremost, the file is less likely to be flagged as malicious by an email security solution, many of which do not analyze the content of SVG files, therefore ensuring messages containing SVG files are delivered to an end user’s inbox. Secondly, since awareness of malicious SVG files is low, the targeted individuals may be easily tricked into clicking on the hyperlink. The use of SVG files in phishing campaigns is becoming more common, and this trend is likely to continue in 2025. Businesses should ensure that they have adequate defenses to block these attacks, which should consist of advanced anti-spam software to block these phishing emails, and security awareness training content should be updated to raise awareness of this attack technique.
SpamTitan is an advanced spam filtering service from TitanHQ that has been proven to block more phishing emails than other email security solutions. SpamTitan was recently put to the test by VirusBulletin and outperformed all other tested anti-spam software solutions, blocking 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. Machine learning algorithms ensure that the solution gets better over time, extensive threat intelligence feeds keep the solution automatically updated with up-to-the-minute threat intelligence, and a next-generation email sandbox provides exceptional protection against malware. When coupled with the SafeTitan security awareness training and phishing simulations to improve employee awareness, businesses will be well protected against phishing, malware, and other email-based attacks. Give the TitanHQ team a call today for more information about these solutions or take advantage of a free trial and see for yourself the difference these solutions make to your security posture.