Back

SVG Phishing Campaign Exploits Email Security Gaps

Severity: High (Score: 71.0)

Sources: Isc.Sans.Edu, www.rfc-editor.org, isc.sans.edu, Techtimes

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: emails, files, vector, phishing, sans, email, security

Summary

A new phishing campaign is leveraging SVG files to bypass email security measures, as reported by SANS. These SVG files contain obfuscated JavaScript that executes upon opening, redirecting users to credential-harvesting sites. The campaign has seen a dramatic rise, with a fifty-fold increase in malicious SVG attachments in 2025. Notably, Microsoft tracked 1.2 million phishing emails delivered to over 53,000 organizations across 23 countries in February 2026. The SVG files are disguised as ordinary images, making them difficult for security tools to detect. The payload is encoded using Base64 and XOR encryption, complicating automated analysis. This tactic highlights a significant blind spot in current email security defenses, particularly for organizations that have fortified against traditional threats like malicious PDFs and Office documents. Security teams are urged to update their detection rules to address this new vector. Key Points: • SVG phishing emails exploit a gap in email security, increasing risks for organizations. • Malicious SVG files contain obfuscated JavaScript that executes silently in browsers. • The campaign has seen a fifty-fold increase in SVG-based phishing attempts in 2025.

Detailed Analysis

**Impact** Over 1.2 million phishing emails containing malicious SVG attachments were delivered to more than 53,000 organizations across 23 countries, affecting multiple sectors globally. The campaign targets enterprise users by harvesting credentials through personalized phishing links embedded in SVG files. The attack bypasses traditional email security filters, increasing the risk of credential compromise and potential unauthorized access to sensitive business systems. **Technical Details** The attack uses SVG files containing obfuscated JavaScript that executes upon opening in the default Windows browser, redirecting victims to credential-harvesting phishing pages. The payload employs Base64 encoding combined with XOR encryption, with the key split across variables to evade automated detection. The MIME type application/ecmascript is used instead of text/javascript to bypass security tools. The phishing URLs use the ".cfd" TLD, commonly abused in phishing campaigns. No CVEs or malware families were specified. **Recommended Response** Update email security gateways and attachment scanners to detect application/ecmascript MIME types and inspect SVG attachments for embedded scripts. Implement user awareness training to avoid opening unexpected image attachments, especially SVG files. Monitor for unusual browser redirects and block domains using suspicious TLDs like ".cfd". If possible, restrict SVG file handling or disable automatic opening in browsers on Windows endpoints.

Source articles (4)

  • New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd) — Isc.Sans.Edu · 2026-06-02
    For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG ("Scalable Vector Graphic") is a web-friendly vector file format used for graphics and icons. No URL in the b…
  • SVG Phishing Emails Bypass Email Security: SANS Flags New MIME — Techtimes · 2026-06-02
    A fresh wave of phishing emails is exploiting a blind spot in enterprise email security tools — one that most organizations have not closed — by disguising executable JavaScript inside SVG image files…
  • 33040 — isc.sans.edu · 2026-06-02
    For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG ("Scalable Vector Graphic") is a web-friendly vector file format used for graphics and icons. No URL in the b…
  • RFC 9239, published in May 2022 — www.rfc-editor.org · 2026-06-02
    Refer to [ RFC3552 ] for a discussion of terminology used in this section. Examples in this section and discussions of interactions of host environments with scripts, modules, and extensions to [ ECMA…

Timeline

  • 2025-01-01 — SVG phishing technique identified: Threat actors began using SVG files to deliver malicious content, exploiting email security gaps.
  • 2025-12-01 — Malicious SVG attachments surge: Malicious SVG attachments increased fifty-fold compared to 2024, becoming a top phishing vector.
  • 2026-02-01 — 1.2 million phishing emails tracked: Microsoft reported 1.2 million SVG-based phishing emails sent to over 53,000 organizations.
  • 2026-06-02 — SANS issues warning on SVG phishing: SANS documented the SVG phishing technique, urging organizations to strengthen email security.

Related entities

  • DDoS (Attack Type)
  • Man-in-the-Middle (Attack Type)
  • Phishing (Attack Type)
  • CWE-94 - Code Injection (Cwe)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Windows (Platform)
  • Spectre (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed