Kaspersky warns of rising SVG-based phishing attacks
A person holds a smartphone displaying a phishing concept with a fishing hook attached to an email icon, accessed on April 21, 2025. (Adobe Stock Photo)
Cybersecurity researchers at Kaspersky have uncovered a new phishing technique where attackers send emails with Scalable Vector Graphics (SVG) file attachments to target both individual and corporate users.
Unlike traditional image formats such as JPEG or PNG, SVG files use Extensible Markup Language (XML) for defining two-dimensional vector graphics and support JavaScript and HTML elements. This versatility, normally beneficial for designers working with non-graphical content like text, formulas and interactive elements, is now being exploited by cybercriminals.
According to Kaspersky’s report, attackers are embedding scripts within SVG files to redirect users to phishing pages. Victims often open these files believing they are merely viewing an image.
In one attack method, the SVG attachment functions essentially as an HTML page without graphic definitions. When opened in a web browser, users see what appears to be a webpage with a link suggesting it leads to an audio file. However, clicking this link redirects to a phishing page mimicking a Google Voice recording.
The supposed audio recording is actually just a static image, and clicking the “Play Sound” button redirects users to another page that imitates a corporate email login screen, allowing attackers to capture usernames and passwords.
In another variant, attackers disguise the email as a notification from an e-signature service, presenting the SVG attachment as a document requiring review and signature. Unlike the first example, this SVG file uses embedded JavaScript code to launch a fake login page directly in the browser when opened, redirecting the user to a phishing site mimicking the Microsoft login screen.
Sharp increase in phishing attacks
Kaspersky statistics reveal a dramatic increase in these attacks, with SVG-based phishing attempts in March showing nearly six times the volume observed in February. Globally, more than 4,000 such emails have been detected since the beginning of the year.
Roman Dedenok, Kaspersky’s Antispam Expert, noted that fraudsters continuously develop new tactics to bypass detection mechanisms.
“We’re seeing a clear increase in attacks containing SVG attachments,” Dedenok said. “Currently, these attacks remain relatively simple. SVG files contain either a page with direct phishing links or a script that redirects to a fake site. However, the use of SVG as a carrier for malicious content could appear in much more sophisticated and targeted attack scenarios in the future.”
