Threat Actors Weaponizing SVG Files to Embed Malicious JavaScript

Threat actors are quietly turning Scalable Vector Graphics (SVG) files into precision-guided malware. In a surge of phishing campaigns, seemingly innocuous.svgattachments slip past secure email gateways because mail filters regard them as static images. Once the recipient merely previews the file, hidden JavaScript executes inside the browser, triggering an invisible redirect chain that funnels victims to attacker infrastructure. The lure emails are minimalist—often a single icon or“Missed Call”teaser—and exploit organisations that have weak SPF, DKIM or DMARC enforcement. As the attachments bypass signature checks, the first line of defence fails; Ontinue analystsidentifiedthe wave after correlating near-identical SVGs sent to B2B service providers and SaaS vendors, all containing distinct Base64 tracking strings that map each click to a workstation. Since no executable is dropped, endpoint agents see only normal browser activity while credentials are siphoned off on well-crafted Micr...