Cybercriminals have ramped up their use of graphics files to spread malicious links and malware during email phishing attacks, according to new research by Sophos.
The tactic is designed to bypass conventional endpoint or mail protection tools.
Attackers have been observed using the graphics file format scalable vector graphics (SVG) for this purpose. SVGs contain Extensible Markup Language (XML)-like text instructions to draw resizable, vector-based images on a computer.
Andrew Brandt, Principal Researcher at Sophos X-Ops, told Infosecurity that some anti-spam tools may not consider SVG files a threat because it is intended as a graphics file.
"Even in cases where SVG files are inspected and parsed by these tools, the threat actors may be using SVG files because some kinds of content scanning technology may not recognize the patterns or the way the malicious content is constructed inside the SVG file," Brandt added.
SVG files provide a range of advantages for threat actors:
- They open in the default browser on Windows computers
- They can contain anchor tags, scripting and other kinds of active web content, enabling attackers to include an anchor tag that links to a web page hosted elsewhere
- They can be used to draw a range of shapes and graphics, allowing attackers to impersonate multiple entities
Brandt noted: "The SVG format provides the threat actors with yet another set of methodologies to conceal or obfuscate malicious content inside."
The researchers first observed the spread of malicious SVG file attachments in late 2024 and this approach has accelerated since mid-January 2025.
How SVG Phishing Attacks Work
Sophos said it has observed attackers use multiple subject lines and lures to entice targets to click on malicious SVG images.
These lures included new voicemails, contracts, payment confirmation and health and benefits enrolment.
The attacks also impersonate a number of well-known brands and services, including DocuSign, Microsoft SharePoint, Dropbox and Google Voice.
Additionally, versions were discovered that targeted difference languages, based on the top-level domain of the recipient.
The simplest of the malicious SVG files contain one or a few lines of hyperlinked text, such as “Click to Open.”
Other more elaborately constructed files have embedded images designed to impersonate well-known brands.
No tags.
