The KnowBe4 Threat Research team detected a sudden increase in phishing campaigns that abuse the scalable vector graphics (SVG) file format to hide malicious HTML, malware, and scripts that can easily bypass conventional email security filters.
Analyzing phishing emails from Q1 we discovered that SVG files comprised 6.6% of malicious attachments within phishing emails—a 245% increase compared to the previous quarter.
Why have SVG Files Suddenly Become Popular with Threat Actors?
SVG is a file format for drawing vector-based images. Unlike JPEG, PNG, or BMP file formats, which use pixels to form images, SVG files contain text instructions in XML for drawing the picture in a browser window. Thus, SVG images can be scaled to any size without losing quality, making them a popular format for sharing logos and icons via email. Since SVG is text-based and the image can load natively in a browser, such files can be embedded with scripts and clickable forms, such as anchor tags, and other interactive elements.
By exploiting these attributes of SVGs, threat actors can automate redirects to malicious sites, present phishes containing fake login forms for credential harvesting and deliver malicious files to user systems.
The sudden surge in SVG-file-based attacks in the last quarter predominantly leverages two types of phishing campaigns:
- Polymorphic Attacks Using SVGs Attackers send phishing emails using SVG attachments with dynamic file names or subject lines to evade detection. The emails are sent using compromised accounts with high domain ages that enhance their credibility. When a user opens the malicious SVG attachment, a transparent clickable rectangle redirects the user to a credential-harvesting phishing site with an actual Office365 login dialog, which hackers use to validate the credentials at the same time as stealing them. Polymorphic attacks obfuscating embedded malicious links within the SVG file help attackers evade traditional email security detection mechanisms.
- Personalized Missed Message Phishing A phishing email prepends the email username to trick the user into opening a malicious SVG attachment claiming to contain a missed call voice message. On activation, the JavaScript embedded within the attachment leads to a phishing site. Dynamic JavaScript and increased personalization tactics increase the likelihood of successful phishing attacks.
SVGs Are Evading Detection by Secure Email Gateways
The presumably safe SVGs' ability to discreetly embed harmful scripts and successfully evade traditional defenses has made them a vector for cyberattacks. Here’s how SVGs can bypass security defenses:
Legitimacy of SVG Image Format: SVG’s unique web and graphic design benefits make it a popular choice among users. Most security scanners assume SVG images to be safe and legitimate.
Text-Based Format: Traditional endpoint and mail protection tools can detect threats in conventional PNG and JPEG image formats and executable files. However, SVG images are text-based (XML format), and traditional security filters pass them off as innocuous image data rather than executable content.
Ability to Embed Codes: SVGs can embed JavaScript and hyperlinks. Techniques like Base64 encoding and dynamic string assembly allow malicious codes to dodge the security filters, as the latter aren’t designed to investigate embedded scripts.
Impersonation Techniques: SVGs can impersonate well-known brands and services, including DocuSign, Microsoft SharePoint, and Google Voice. Victims are decoyed into handing over sensitive credentials through legitimate-looking login screens and authentication prompts. For example, cybercriminals executed financial scams by sending seemingly legitimate invites containing malicious links using Google Calendar and Drawings that bypassed email security measures.
SVGs Present a Multi-Faceted Threat
Thanks to their versatility and perceived legitimacy, SVGs provide attackers multiple avenues to execute attacks. Here are some of them:
Cross-Site Scripting (XSS) Attacks: SVG files can embed codes like JavaScript within them. When the user views or imports the harmful SVG, the browser renders the image, executing malicious code. This can lead to the theft of sensitive user data or escalate to more severe attacks through initial JavaScript execution.
Phishing Attacks: Attackers can insert malicious codes obfuscated in XML-based SVG files to evade security scanners while presenting visually convincing images or forms to users. Users are lured to engage with malicious content with severe consequences like stolen credentials, leading to data breaches and unauthorized access to critical systems.
File Tampering: Cybercriminals modify the code in text-based SVG files to include malicious payloads. Unsuspecting users who open or import such SVGs may inadvertently execute harmful actions.
Denial-of-Service (DoS) Vulnerabilities: An attacker can craft an SVG file to include complex or excessively large data. When the file is processed by a server or application, it consumes excessive memory and CPU resources, making the server unresponsive or crashing.
Lateral Network Movement: Using a compromised user account, an attacker can upload a malicious SVG file to a shared network drive. When opened by another user in the network, the harmful SVG can exploit vulnerabilities in the second user's system to escalate privileges or extract credentials. This way, the threat moves laterally across the network, accessing sensitive systems or data.
How Can You Stay Safe from SVG-Based Phishing Attacks?
Businesses can reduce the risk of SVG-based phishing attacks to a great extent by following these best practices:
-
Authenticate Email Attachments: SVG files from unknown or unexpected email senders should be cautiously opened, as attackers often disguise malicious SVGs as legitimate documents.
-
Educate Users: Use phishing simulation platforms to train employees on real-world SVG attacks. This can help them recognize phishing attempts, including suspicious SVG files or web interfaces, and report them promptly.
-
Disable Script Execution: Configure your browser or application to block embedded scripts within SVG files. SVG rendering from critical systems can be isolated using sandboxing techniques to prevent the execution of embedded scripts.
-
Control File Uploads: Organizations should limit the types of files users can upload, allowing only those necessary for operations.
-
Implement Content Security Policies (CSPs): Use CSP headers tailored to SVG handling, blocking inline JavaScript and unauthorized external calls embedded in SVG files. Regularly review and update CSP rules to address emerging threats.
