Security researchers have uncovered a stealthy new phishing technique: embedding obfuscated JavaScript directly within seemingly harmless SVG image files. These weaponised images, now dubbed “SVG Smuggling”, deliver malicious redirects and malware to unsuspecting users worldwide, bypassing traditional defences.
Images That Hide Code, Not Just Pictures
The attack begins with a carefully crafted phishing email containing an SVG attachment or linked inline image. Victims are led to believe it’s a simple graphic, like a missed-call alert or payment notice. Instead, the SVG contains embedded JavaScript, triggered when the file is opened or previewed in a browser or mail client.
The hidden script uses techniques like Base64 or XOR obfuscation, then silently redirects victims to malicious websites or initiates downloads, exploiting browser functions like window.location.href and atob. IBM’s X-Force reports that SVGs are launching multi-stage malware infection chains, including loaders and trojans like Blue Banana RAT, SambaSpy, and SessionBot, particularly targeting financial institutions.
Why SVGs Evade Security Filters
Unlike JPG or PNG, SVG is text-based XML, allowing attackers to embed executable JavaScript directly. Security tools often treat SVGs as benign assets and skip deep inspections, enabling attackers to evade detection.
A LinkedIn threat report notes a 245% rise in malicious SVGs in the past quarter, including polymorphic attacks with dynamically generated file names that bypass filters. Some even embed interactive phishing forms or auto-redirect elements.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Defensive Measures Firms Must Deploy
Experts advise disabling JavaScript execution in SVG rendering, using Content Security Policies to block inline scripts, and sandboxing SVGs in isolated environments. Email gateways should inspect or block SVG attachments, bolster DMARC/SPF/DKIM enforcement, and employ Zero-hour Auto Purge (ZAP), for example, Microsoft Defender’s Safe Links and Safe Attachments features.
Security teams should also train users to treat SVG emails with scepticism and update detection systems to flag embedded <script> tags or foreignObject elements. Logging lookalike domains and proactive phishing simulations are essential.