245% Increase in SVG Files Used to Obfuscate Phishing Payloads

A KnowBe4 Threat Labs Publication
Authors: James Dyer and Cameron Sweeney

The KnowBe4 Threat Research team has observed a sustained increase in the use of Scalable Vector Graphics (SVG) files to obfuscate malicious payloads.

SVGs are vector based, rather than pixel-based like PNGs and JPGs. This means the graphic elements can be scaled up without loss of quality - making them perfect for sharing graphics, such as logos and icons, via email.

In a now well-established pattern (think QR codes and quishing attacks), cybercriminals are attempting to take advantage of the growing use of this file type, hoping familiarity will lead to complacency in the targets of their phishing attacks. 

As we’ll also discuss later, SVG files offer technical advantages to cybercriminals looking to evade traditional email security filters.

Our Threat Research team analyzed phishing emails sent between January 1st and March 5th, 2025, discovering that SVG files accounted for 6.6% of malicious attachments in phishing emails detected by KnowBe4 Defend. This is a 245% increase when compared to attacks sent between October 1st and December 31st, 2024, during which time SVGs made up only 1.9%. The largest spike to date occurred on March 4th, with SVGs accounting for 29.5% of all malicious attachments. 

When analyzing these attacks, our team discovered that two major phishing campaigns contributed to this increase. 

Analysis of Two SVG Phishing Campaigns
All attacks in this blog were identified and neutralized by KnowBe4 Defend and analyzed by our Threat Research team. 

Vector and type: Email phishing
Primary techniques: Malicious attachments obfuscated using SVG files
Targets: Global
Platform: Microsoft 365
Bypassed native and SEG detection: Yes

Campaign 1: SVGs used in polymorphic attacks
This campaign involves phishing emails using SVG attachments with polymorphic file names.

The subject line is designed to appear like a routine system automated email (“e_Portal_Server_Notice <to.address>” in the attack shown below), while the attacks are actually sent from a compromised account with a high domain age. The use of the compromised account helps the emails pass authentication checks (including DMARC, SPF and DKIM in the attacks we analyzed) and even evade detection by Microsoft’s native spam confidence filter. 

When opened, the SVG attachment is loaded in the recipient’s web browser and contains a clickable transparent rectangle. For many people, an automatic reaction when presented with a blank webpage is to click on it - a natural impulse that, in this case, moves the attack forward. If the user clicks on the rectangle, they are redirected to a credential harvesting phishing website that uses Microsoft branding. 

The phishing emails use a combination of advanced obfuscation techniques to help them bypass the signature-based detection present in traditional email security products, such as secure email gateways (SEGs). 

Both the subject and attachment names are polymorphic, changing with each phishing email to avoid hash-based detection (the lookup for known bad signatures used by SEGs). The subject line also contains the same text as the name of the attachment in an attempt to improve the email’s appearance of legitimacy. Additionally, the malicious link within the SVG is encoded with the phishing domain and the recipient’s email, which means the JavaScript malware within the SVG can also be classed as polymorphic.

The email body in the attack shown below contains limited text, but is filled with numerous line breaks and a benign email footer at the bottom. This technique aims to make the attack appear less suspicious to some filtering technology that uses the character count to determine whether an email message is suspicious, as well as potentially neutralize some natural language processing (NLP) detection. Here, our researchers believe the cybercriminal uses the benign footer to manipulate email security detection software, while the line breaks potentially hide it from the recipient’s view, depending on the email preview available. 

Phishing attack detected by KnowBe4 Defend with malicious SVG file attachment featuring polymorphic file name.

Campaign 2: Missed messages hiding malicious JavaScript
The second campaign features a “missed message” phishing email, where the target is prompted to open an attachment to listen to a voice message following a missed call. The SVG attachment contains JavaScript that, once clicked, automatically loads a phishing website on the target’s machine. 

This campaign features a high level of personalization, designed to lure the victim into a false sense of security. The recipient’s email address is repeated in the file name and the body of the email. Additionally, the JavaScript in the payload dynamically appends the recipient’s email address as a query parameter to a credential harvesting website (consequently tagging the harvested password to a specific user) and prefills the form with the target’s email address. This increases the likelihood they’ll be deceived by the attack, as the target has less time to think about what they’re doing before they enter their Microsoft password. 

Like the previous attack, the phishing email shown below was also sent from a compromised account that allowed it to appear legitimate to authentication protocols and pass DMARC checks. The email also features brand impersonation for RingCentral - a trusted communication software that is used by the target’s organization - which further enhances its appearance of credibility. 

Finally, the cybercriminal manipulates the layout of the email, forcing Microsoft’s external email banner to move from the top of the email to the bottom. This is achieved by modifying the HTML with additional blank spaces and custom styling to adjust the margins and padding to move the <table> section of the code that contains the warning banner to the bottom of the email. Inline CSS is also used to prevent the banner from moving back to the original position. 

This is done to divert the recipient’s attention away from the message that prompts them to examine the email more closely and to not open unknown attachments. KnowBe4 Defend’s banners utilize anti-manipulation techniques and were not affected by this. 

Phishing attack detected by KnowBe4 Defend with malicious SVG file attachment, featuring the target’s email in the attachment name and body copy.

Credential harvesting website designed to steal Microsoft logins, with target’s email address prefilled.

The Growing Threat of SVGs
SVG files are inherently visual and are often trusted in the same way as simple images. However, unlike traditional image files, the XML structure of SVGs means that they can be used by cybercriminals to incorporate scripts that remain invisible to users and some virus scanners. This dynamic behavior combined with the natural appeal of high-quality visuals makes SVGs a potent phishing threat. 

While HTML smuggling is a well-known technique that embeds harmful code in HTML files to bypass security filters, SVG phishing is arguably even more dangerous. SVGs use the same concept of smuggling code, but their integration into a familiar image format makes them less conspicuous and, consequently, less frequently scrutinized by traditional defenses. This advanced method is less widely recognized, meaning that many organizations and security products might not be adequately prepared to detect or mitigate the threat.

Evading Detection by Secure Email Gateways (SEGs)
Many email security filters, like SEGs, and endpoint protection systems primarily scrutinize file types typically associated with executable code like EXE or HTML, as well as more traditional file formats, such as ZIPs, PDFs, DOCs, JPGs and PNGs. Since SVGs are commonly assumed to be “safe” file types, they may bypass these checks to allow malicious files to be delivered. 

SVGs are also fundamentally different to these other file types, enabling them to evade traditional detection mechanisms in other ways:

• Text-based format: SVGs are XML-based and appear primarily as text. Many SEGs treat them as benign image data rather than executable content
• Embedded code and obfuscation: Attackers can embed JavaScript and other active elements within an SVG, which isn’t possible with other image file types. By using techniques like Base64 encoding and dynamic string assembly, the malicious code is hidden from static scanners that aren’t designed to parse embedded scripts
• Payload revealed on execution: Most SEGs have limited parsing capabilities and do not fully execute or inspect the embedded scripts within SVG files. The malicious payload only reveals itself when the file is rendered in a browser, bypassing the SEG’s detection mechanisms
• Appearance of legitimacy: Given that SVGs are widely used in web and graphic design, these files are often passed off as legitimate images, reducing the likelihood that they’ll be flagged as suspicious by automated filters

Providing multiple avenues for attack
SVGs also enable attackers to utilize several different techniques within their attacks. This versatility is driving the increased use of this attachment type. 

Injecting Harmful Code
An attacker can embed malicious JavaScript within an SVG file (as seen in the second example analyzed in this post). When opened in a browser, this code can automatically redirect the user to a fraudulent website. Alternatively, the script could redirect to a site that prompts for other sensitive information or initiates a malware download.

Data Exfiltration 
Embedded scripts can be used to silently collect and send sensitive information, such as login credentials or personal data, to an external server. For example, a malicious SVG might include code that monitors user inputs, such as keystrokes entered into a login form, and then sends this data via an HTTP request to an attacker-controlled server. This could result in the unauthorized collection of credentials, personal details, or other confidential information.

Undetected Actions
SVG files sent as attachments are typically regarded as harmless, static images. This benign appearance means that executed payloads can go unnoticed. Because both users and many email security filters assume that image attachments are non-executable, the embedded malicious code can operate covertly without triggering standard security alerts.

This is an example of a hidden code snippet from a malicious SVG sent to a KnowBe4 Defend customer (which we detected).

JavaScript payload that was hidden inside an SVG attachment to a phishing email detected by KnowBe4 Defend. 

The code contains three key features:

• Embedded image: The <image> tag loads a visual asset that appears benign, such as a logo or graphic. This image can distract the user from any underlying malicious activity
• Transparent overlay: A <rect> element with a transparent fill covers the entire image area, creating an invisible clickable hotspot. Since it appears as a normal image with no visual cues, users are unaware that clicking on it will trigger additional actions
• Malicious hyperlink: The clickable area is wrapped in an <a> tag that contains an obfuscated URL. Initially, the link directs the user to a CGI script that’s likely used for tracking or counting clicks. The query parameter (link=) then points to a second URL, which is likely the final malicious destination. The two-stage redirection process helps conceal the true target, bypassing basic security filters and misleading both users and automated defenses

How to Detect Phishing Attacks with SVG Attachments
As we’ve seen, one of the attractions for using SVG files in phishing attacks is their ability to get through traditional email security defenses, particularly SEGs. As a result, organizations need to ensure they have technical measures in place that will catch missed threats, utilizing:

• Contextual analysis to detect anomalies - for example, understanding that SVG attachments are common in graphic design emails but are unusual in other contexts, such as a missed message
• Attachment and metadata inspection to identify suspicious patterns, such as an attachment name matching the recipient’s email address, and mismatch between a sender’s display name and the From address
• Advanced natural language processing (NLP) to analyze the email content, looking for evidence that differentiates legitimate communication from phishing attempts
• Zero trust and holistic evaluation that analyzes all factors, including contextual clues and metadata anomalies, and successfully quarantines threats, even when an email has already passed all standard authentication checks, such as those sent from compromised trusted accounts

Our Threat Research team believes SVG phishing attachments will form a significant phishing threat throughout 2025. As well as deploying advanced email security defenses, it is also important to continue to invest in personalized training and coaching to effectively manage the human risk associated with phishing.