1. What is an SVG and why do attackers love it?
Scalable Vector Graphics (SVG) is a web image format based on XML. Unlike PNG or JPG, SVG files are text files that a browser reads and renders as graphics. Because it’s text, an SVG can also contain links, scripts, and embedded elements. That dual nature—image plus code—makes SVGs incredibly flexible for designers and, unfortunately, very handy for attackers.
Reasons threat actors are leaning into SVG:
- It looks harmless. An SVG usually arrives as a “picture” of a login page, invoice, or delivery note. People trust images.
- It slips through filters. Some email and web filters treat images as low risk, especially if they’re small and unremarkable.
- It can redirect. An SVG can open a phishing site in a new tab, or silently auto-forward the user to a credential harvester.
- It compresses well. The same payload can be tiny, helping it evade size-based checks and rate limits.
2) How SVG phishing works (with simple examples)
There are three common flavours you’ll see in the wild:
- Clickable decoy image:
The attacker sends an SVG that visually mimics a “View Document” button. The entire image is one big link to a phishing site. The file name sells the story:Invoice_1089.svg,DocuSignNotice.svg,Zoom_Meeting_Details.svg. - SVG as a jump pad:
The SVG uses an<a>tag orxlink:hrefinside the graphic to redirect the user. The link may be shortened or obfuscated. When the user previews or opens the “image”, the browser follows the link to a credential page dressed up as Microsoft 365, Google, Zoom, or your payroll portal. - Embedded script or data URI:
Some SVGs embed JavaScript (depending on how the browser handles it) or adata:URL that decodes to HTML. The net effect is the same: the user ends up at a malicious site, or a fake login form renders right in the browser.
A simplified, recognisable snippet you might see:
There’s nothing fancy in that code—yet it’s enough to trick a busy staff member.
3) Why many security layers miss malicious SVGs
- MIME and extension whitelisting: Email gateways sometimes treat
.svgas an image and don’t deeply inspect it. - Inline rendering: Some collaboration tools preview SVGs inline, so users click before thinking.
- URL detonation gaps: If the SVG points to a redirect that only becomes malicious after a delay (time-bombing), sandboxing may miss it.
- New domains & link shorteners: Attackers rotate infrastructure to stay ahead of reputation-based filters.
4) Real-world delivery routes
Attackers aren’t fussy. They’ll use whatever works:
- Email attachments labelled as invoices, HR documents, VoIP messages, or meeting invites.
- Cloud storage links (OneDrive, Google Drive, Dropbox) where the SVG is hosted and shared “from a known brand”.
- Chat platforms (Teams, Slack, WhatsApp Business) where short, urgent messages push the recipient to “review asap”.
- Compromised websites that stuff SEO and lure staff to download a “template” or “policy” that’s actually an SVG.
5) Business impact
SVG phishing is not just a nuisance. It can lead to:
- Credential theft for Microsoft 365, Google Workspace, payroll, banking, or HR systems.
- Session hijacking if the lure captures tokens or pushes the user to approve an MFA prompt.
- Malware delivery where the SVG is the first step before a dropper or info-stealer lands.
- Business email compromise (BEC) resulting in invoice fraud or payroll diversion.
Once an attacker has an admin or finance mailbox, they can pivot quickly—creating forwarding rules, registering rogue apps, or sending internal-looking requests to suppliers.
6) Prevention for non-technical teams (the quick wins)
You don’t need to be an engineer to reduce risk:
- Treat unexpected SVGs as suspicious. Genuine suppliers rarely send image files instead of PDFs.
- Hover before you click. If your email client shows the destination URL, check it. Look closely for misspellings and odd domains.
- Use known portals. If the message claims to be DocuSign, Microsoft, or your bank, navigate there via your own bookmark—not the email.
- Pause and verify. A two-minute phone call to the sender (using a known number) beats hours of cleanup.
- Report easily. Make sure there’s a one-click “Report Phish” button in Outlook/Google Mail so your security team can act fast.
7) Technical hardening for IT teams
Here’s a layered approach that works in Irish SMEs and mid-market organisations:
Email and collaboration
- Block or quarantine SVG attachments unless there’s a legitimate business case. Create an allow-list for trusted senders if absolutely necessary.
- Rewrite and scan links (Safe Links/URL Defence equivalents) and detonate attachments in a sandbox. Ensure detonation follows redirects and re-checks links after a delay.
- Disable inline SVG previews in chat and collaboration tools where feasible.
- Strip active content at the gateway if your tooling supports SVG sanitisation.
Browsers and endpoints
- Restrict file associations: Don’t auto-open SVGs in full browsers from email clients.
- Deploy a modern browser security baseline: Enable Enhanced Safe Browsing/SmartScreen/URL reputation, block risky schemes like
data:where business-appropriate, and enforce HSTS. - Application control: Use Windows Defender Application Control / AppLocker policies to prevent unauthorised helper apps or script hosts from running.
- EDR rules: Create detections for suspicious browser children (e.g.,
cmd.exe,powershell.exe) spawned shortly after opening image files.
Identity and access
- Enforce phishing-resistant MFA where possible (FIDO2/WebAuthn). If that’s not feasible, use number matching and restrict legacy authentication.
- Conditional Access: Block authentication from improbable travel, newly unseen devices, or risky sign-ins.
- App governance: Monitor OAuth app consent and block end-user consent to risky scopes.
Web and application layer
- Content Security Policy (CSP): If your own sites accept SVG uploads, lock down
img-src,object-src, and disallow inline scripts. - Sanitise server-side: Strip scripts, external references, and
data:URIs from user-supplied SVGs before storing or serving them. - Use signed URLs and strict MIME types when serving images to clients.
8) Detection tips: what to look for
Teach your SOC (or managed SOC) to hunt for:
- Email patterns: A sudden spike in
.svgattachments or messages with “view document”, “secure”, “encrypted”, “DHL”, “P60/P45”, “VAT”, “Zoom meeting”. - Proxy logs: Short user sessions that begin with loading an
.svgand immediately hit an unfamiliar domain, often via 302 redirects. - Authentication anomalies: Multiple failed logins followed by an MFA push approval from the same user; impossible travel; sign-ins from headless browsers.
- Mailbox rules: Newly created auto-forwarding rules to external addresses or rules that hide replies.
- Endpoint signals: Browser spawning script interpreters or archival tools within seconds of the user opening an “image”.
9) Incident response: a practical playbook
When an SVG phish lands, time is everything. Use this as a checklist:
- Triage and contain
- Identify recipients and whether anyone clicked.
- Quarantine the email everywhere (search & purge).
- Block the malicious domain and any redirectors at DNS, firewall, and secure web gateway.
- Validate access
- For any user who clicked, reset passwords, invalidate sessions, and re-enrol MFA if suspicious prompts occurred.
- Check sign-in logs for the past 7–14 days for unusual locations, devices, or OAuth consent events.
- Harden the mailbox
- Remove rogue mailbox rules and address forwarding.
- Audit delegated access and app consents.
- Forensics
- Keep the original SVG and message headers.
- Extract IOCs (domains, IPs, hashes).
- Review proxy/EDR timelines around the event window.
- Recovery and comms
- Notify affected teams (finance, HR, suppliers) if BEC is suspected.
- Provide user-friendly guidance: what happened, what to do, and how to avoid a repeat.
- Lessons learned
- Update blocklists, detections, and training material.
- Consider a temporary, stricter email posture for high-risk roles (finance, execs).
10) Policy, training, and governance
- Attachment policies: Decide if SVGs are necessary for the business. If not, block them and document the exception process.
- Supplier due diligence: Ask vendors how they distribute documents. nudge them towards PDFs via secure portals rather than images by email.
- Role-based controls: Finance and HR should have stronger inbound filtering and stricter Conditional Access rules.
- Continuous awareness: Use short, monthly micro-lessons with real screenshots of lures you’ve seen internally—keep it relevant to your staff.
- Tabletop exercises: Run a 60-minute scenario on “SVG-led BEC” with IT, finance, and leadership. Agree who does what, and capture gaps.
Quick reference: red flags your staff can spot
- File types that don’t match the task (a picture for a document).
- Urgent language around payments, payroll, or compliance.
- Links that look like “secure-docs-login[.]com/microsoft” rather than microsoft.com.
- Requests to sign in again to view a simple file you weren’t expecting.
- Messages that arrive outside business hours from “internal” people you don’t usually hear from.
A balanced default policy that works well
If you’re unsure where to start, this baseline is sensible for most Irish SMEs:
- Block inbound
.svgattachments by default; allow only for named senders on a case-by-case basis. - Enable URL rewriting and delayed link re-scan; detonate attachments and follow redirects during sandboxing.
- Enforce number-matching MFA and block legacy auth; monitor impossible travel alerts.
- Use a DNS filtering service to stop newly registered or risky domains at the network edge.
- Put a “Report Phish” button in the email client and actually act on submissions quickly to build trust.
How CK Computer Solutions – Managed IT Services Dublin can help
SVG phishing sits in that awkward gap between user behaviour and technical nuance. You need both sides right. That’s where we come in.
At CK Computer Solutions – Managed IT Services Dublin, we help Irish businesses reduce phishing risk without slowing the day-to-day work:
- Email security configuration: We tune Microsoft 365/Google Workspace policies to quarantine risky file types like SVG, enable URL rewriting, and set up sandboxing that re-checks delayed redirects.
- Identity hardening: We roll out phishing-resistant MFA (or best-practice MFA with number matching), Conditional Access, and session controls so a single click doesn’t become a full breach.
- Endpoint & browser baselines: We deploy practical Windows security baselines, application control, and EDR detections that spot suspicious behaviour after an “image” opens.
- Awareness training that sticks: Short, role-based sessions using real examples (including SVG lures) sent to your teams. No scare tactics—just tools people remember.
- Monitoring & response: Our managed service watches your email and identity logs for patterns that point to SVG or image-led phishing, and we jump on containment fast—blocking domains, invalidating sessions, and cleaning up mailbox rules.
- Policy & governance support: We’ll help draft and implement attachment handling policies, supplier requirements, and exception workflows so the business keeps moving while staying safe.
If you’d like a quick health check on your current setup—or want us to test how your filters handle a benign SVG sample—reach out to CK Computer Solutions. We’ll tailor a plan that fits your organisation, your budget, and the way your people actually work.
