
Cybersecurity researchers at Ontinue have discovered a new phishing campaign that hides malicious code inside SVG image files, targeting businesses and individuals.
The technique allows attackers to bypass traditional security filters and steal sensitive information without dropping any obvious malware.
Ontinue reported that threat actors are embedding obfuscated JavaScript within SVG files.
When victims open these files in a browser, the code executes silently and redirects them to attacker-controlled websites. These sites often display fake login pages designed to steal credentials.
“The attack leverages browser-native functions to avoid detection while tracking victims through Base64-encoded identifiers,” Ontinue said.
The phishing emails use minimal content and subject lines such as “Missed Call,” “ToDoList,” or “Payment” to lure recipients into opening the attachment.
A Closer Look at the Attack
Ontinue’s technical analysis revealed that the malicious SVG files carry JavaScript hidden in CDATA sections. The code is encrypted and decrypted at runtime using XOR keys and browser functions such as Function() and atob().
When executed, the script assembles a redirect URL that includes a unique Base64 string, likely used for victim tracking. The campaign also employs geofencing, adjusting landing sites based on the victim’s location to enhance evasion.
Attackers deliver these files through phishing emails sent from spoofed or lookalike domains.
Many targeted domains were found to lack adequate SPF, DKIM, and DMARC records, making it more manageable for attackers to impersonate trusted senders.
Security Recommendations
Ontinue advises individuals and organizations to take several steps:
- Avoid opening unsolicited attachments, even if they appear to be images.
- Verify the sender’s email domain for authenticity.
- Implement strict DMARC policies alongside SPF and DKIM.
- Block or inspect SVG files for embedded scripts before allowing them through email gateways.
- Educate staff about emerging threats like SVG-based phishing.