Kaspersky has identified a disturbing new trend in phishing attacks targeting both individuals and organizations. Cybercriminals are using SVG (Scalable Vector Graphics) files as attachments in phishing emails.
SVG is a commonly used image format, but attackers are exploiting its features to embed malicious scripts. These scripts lead users to phishing websites designed to steal login credentials by mimicking popular services like Google and Microsoft.
Since the beginning of the year, Kaspersky has detected over 4,000 such phishing emails globally, with attacks in March 2025 increasing nearly six times compared to February.
Understanding the Danger of SVG Files in Phishing Attacks
SVG files are a format used to describe two-dimensional vector graphics via XML. Unlike common image formats like JPEG or PNG, SVG files support JavaScript and HTML, making it possible for attackers to embed executable scripts within the file.
Users are often deceived into opening these files, assuming they are just regular images. However, opening them can lead to malicious websites disguised as trusted platforms.
One common method involves attaching an SVG file that appears as a webpage when opened in a browser. The page contains a link that claims to lead to an audio file.
When clicked, the user is redirected to a phishing page that mimics the Google Voice service. However, the audio file is actually just a static image. Clicking the “Play Audio” button redirects the user to a login page for their corporate email, where attackers can capture their login details.
The page includes Google Voice branding and the target company’s logo to further lower the user’s defenses.
A More Dangerous Variant: Fake E-signature Requests
In another variation, attackers are using SVG files to impersonate e-signature requests. These files appear to be documents that need the user’s review and signature.
Instead of acting as a simple HTML page, this SVG file contains JavaScript that, when opened, triggers a browser window redirecting the user to another phishing site—this time impersonating Microsoft’s login page.
Kaspersky’s Expert Advice on Preventing Phishing Attacks
Roman Dedenok, an anti-spam expert at Kaspersky, comments on the rising trend: “Phishers are continuously evolving their tactics, using new methods to avoid detection.
Attacks involving SVG files are on the rise. While these attacks are currently relatively simple, the use of SVG as a carrier for malicious code could lead to more sophisticated and targeted phishing campaigns in the future.”
To avoid falling victim to phishing attacks, Kaspersky experts recommend the following actions:
- Always verify the sender’s identity before opening any email or clicking on any link.
- If the message seems unusual, even from a trusted sender, contact them using an alternative communication method to confirm its authenticity.
- Double-check the spelling of any website URLs, as attackers often use subtle errors (e.g., replacing “I” with “1” or “O” with “0”) to trick users into visiting fraudulent sites.
- Use trusted security software when browsing the internet to help detect and block phishing attempts.
This rising threat underlines the importance of cautious email and web browsing practices in today’s increasingly dangerous digital landscape.
