Threat actors are shifting from conventional phishing tricks, which used malicious links and document macros, to benign-looking image files embedded with stealthy browser redirects.
According to an Ontinue discovery, newer campaigns are using Scalable Vector Graphics (SVG) — typically harmless image formats — to sneak in obfuscated JavaScript that quietly redirects victims to malicious domains.
“This is a fresh spin on the technique of using image files for delivering suspect content, in this case, malicious SVGs,” said John Bambenek of Bambenek Consulting. “The attackers have to rely on complacency (“it’s only an image, it doesn’t execute code”) to lull organizations into accepting this content and getting it on the inside of a network.“
The campaigns, which use social engineering lures like ‘ToDoList’, ‘Missed Call’, and ‘Payment Reminder’, require no additional downloads or clicks as the script automatically decrypts within the victim’s browser.
Clever use of SVG for delivery
According to Ontinue researchers, initial access is gained through spoofed or impersonated email senders that deliver the malicious SVG either as a direct file attachment or via a link to an externally hosted image that appears harmless.
“Defenders must collapse the old distinction between code and content,” said Jason Soroko, senior fellow at Sectigo. “Treat every inbound SVG as a potential executable. Strip or block script tags.”
The SVG uses XOR-encrypted JavaScript, and once viewed in a browser, it decodes and runs a redirect to an actor-controlled final URL with Base64 encoding for victim tracking. Unlike typical malware, no files are dropped, no macros triggered, just pure browser-native execution. The stealthy delivery is possible due to security misconfigurations like missing DomainKeys Identified Mail (DKIM) or relaxed Domain-based Message Authentication, Reporting and Conformance (DMARC) policies, the email authentication protocols for protecting email spoofing and phishing.
“While this research is valuable to enterprise and hunt teams, organizations without a security staff will remain vulnerable to conventional cybercrime with this technique,” Bambenek added, stressing the need to have a dedicated team overseeing these controls.
Innovative, evasive, and targeted campaigns
Researchers pointed out that traditional endpoint detection, antivirus tools, and even email filters struggle to spot this threat because image files like SVGs are rarely considered dangerous. Compared to previous SVG-based attacks that used hosted payloads, this method keeps everything self-contained, further slipping past defenses.
Victims span B2B service providers, utilities, and SaaS companies, organizations that naturally receive high volumes of email attachments. For additional targeting, the campaign uses geofencing to tailor attacks by region, researchers added.
The Ontinue research recommended enforcing SPF, DKIM, and DMARC to block spoofed emails, and blocking or sanitizing SVG attachments. Using deep content inspection on inbound files, and enabling protections like Safe links, Safe Attachments, and ZAP in Microsoft Defender might also help. Soroko echoed Ontinue’s guidance and emphasized the need for proactive defense, stating, “Enforce strict DMARC alignment and auto purge questionable mail. Instrument telemetry to catch browser pivots triggered by window location changes that originate from image previews. Layered controls, like Safe Links content disarmament and lookalike domain monitoring, will disrupt the simple path attackers now rely on.”
No Responses