SVG Phishing Campaign Exploits Email Security Gaps

A new phishing campaign is leveraging SVG files to bypass email security measures, as reported by SANS. These SVG files contain obfuscated JavaScript that executes upon opening, redirecting users to credential-harvesting sites. The campaign has seen a dramatic rise, with a fifty-fold increase in malicious SVG attachments in 2025. Notably, Microsoft tracked 1.2 million phishing emails delivered to over 53,000 organizations across 23 countries in February 2026. The SVG files are disguised as ordinary images, making them difficult for security tools to detect. The payload is encoded using Base64 and XOR encryption, complicating automated analysis. This tactic highlights a significant blind spot in current email security defenses, particularly for organizations that have fortified against traditional threats like malicious PDFs and Office documents. Security teams are urged to update their detection rules to address this new vector.

Key Points: • SVG phishing emails exploit a gap in email security, increasing risks for organizations. • Malicious SVG files contain obfuscated JavaScript that executes silently in browsers. • The campaign has seen a fifty-fold increase in SVG-based phishing attempts in 2025.