In a troubling new development in the world of phishing, researchers from Kaspersky have discovered a new phishing technique that uses SVG (Scalable Vector Graphics) files- a format used for web design and graphics.

Phishing tactics continue to evolve rapidly, moving beyond familiar PDF attachments and deceptive URLs like “FaceB00k”. This time, attackers are weaponizing SVG files to deliver malicious content.

Why SVG? A Phisher’s New Favourite Tool

SVG files are attractive to phishers for several reasons. Unlike JPEG or PNG images, SVGs are text-based and can be opened and edited in simple text editors. This provides a unique avenue for attackers: the ability to embed scripts and hyperlinks directly into the image file.

What sets SVG apart is its compatibility with JavaScript and HTML. While this capability enhances the format for web developers and designers — enabling the integration of interactive elements, text, and formulas — it also opens a backdoor for threat actors. Malicious code can be hidden in plain sight within the XML markup of an image.

SVG when opened in a text editor(Source:Kaspersky)

How the Attack Works

At the start of 2025, Kaspersky researchers observed a wave of phishing emails using SVG files disguised as legitimate documents. On the surface, these emails looked similar to previous campaigns that used HTML attachments. But upon inspecting the source code, it became clear that the SVG file was being misused.

Phishing using SVG attachment(Source:Kaspersky)

Though the file appeared to be an image, opening it in a browser revealed it functioned as an HTML page.

Fake Google Voice Page

A link inside the SVG file pretended to be an audio file, directing users to a phishing page mimicking as Google Voice. Clicking “Play Audio” led victims to a fake corporate email login screen — complete with company logos to lend authenticity — where credentials could be harvested.

In another variation, attackers imitated e-signature notifications, presenting SVG attachments as review documents. When opened, these files contained JavaScript code that triggered a new browser window with a fake Microsoft login page.

Conclusion

While not yet widespread, the use of SVGs in phishing attacks is on the rise. According to Kaspersky’s report, attackers are constantly testing new tactics, from redirection techniques to text obfuscation and format experimentation. The SVG format, with its ability to embed active code, presents a potent new frontier for phishing attacks.

“Though these SVG-based attacks are currently relatively basic, similar to early HTML phishing tactics, their potential for sophistication is considerable,” Kaspersky researchers warned.

As a general best practice, always verify the source of the email, avoid clicking suspicious links, and when in doubt, open attachments in a secure sandbox environment or consult IT professionals.

Follow cybersecurity88 on X and Linkedin for the latest cybersecurity news

Source:hxxps[://]securelist[.]com/svg-phishing/116256/