Cybercriminals are once again exploiting SVG (Scalable Vector Graphics) files in a new phishing campaign that demonstrates just how dangerous these seemingly harmless files can be. While SVGs are often used to display images, they are written in XML, meaning they can also contain HTML and JavaScript code—making them a potential weapon for attackers.

Why SVG Files Are Being Exploited

One major advantage for attackers is that on Windows systems, SVG files typically open by default in Microsoft Edge, regardless of the user’s preferred browser. Since many people don’t secure Edge with the same ad-blockers or filters they use on Chrome or Firefox, it becomes an overlooked entry point for phishing attempts.

In this campaign, attackers crafted an SVG named RECElPT.SVG. On the surface, the file looks like a recipe, with code disguised using food-related names like menuIngredients and saladBowl. However, behind this disguise, the file contained a JavaScript redirect designed to send victims to a malicious site.

The script worked by converting encoded “ingredients” into ASCII characters that ultimately revealed a redirect command:

window.location.replace("https://outuer.devconptytld[.]com.au/");

Once redirected, victims landed on a verification page designed to appear legitimate—shielded by Cloudflare services—and were then forwarded again, with their email address passed along to the next destination. Although the final phishing page was not active during analysis, researchers believe it likely contained a fake Microsoft 365 or Outlook login form intended to steal credentials.

Characteristics of the Campaign

• Multiple versions of the malicious SVG have been traced back to August 26, 2025.
• Each file included the target’s email address, indicating a highly targeted campaign.
• The phishing domain appears to mimic the legitimate devconptyltd.com.au, a tactic often seen in Business Email Compromise (BEC) attacks.
• Subdomains linked to this attack were supported by a TLS certificate issued on August 24, 2025, valid for three months.
• Microsoft has observed similar attacks, with some code obfuscation likely enhanced by AI tools.

How to Protect Against SVG Phishing

Although SVG attachments are uncommon, this campaign highlights why organizations should handle them with caution:

• Treat SVGs like any other attachment: never open them unless you confirm with the sender.
• Use password managers: they won’t auto-fill credentials on fake websites.
• Verify website URLs: especially when prompted for login information.
• Deploy real-time anti-malware protection with web filtering capabilities—solutions like Malwarebytes have already flagged the domains tied to this campaign.
• Adopt advanced email security solutions that can scan and quarantine suspicious attachments before they reach end users.

Final Thoughts

This SVG-based phishing campaign demonstrates how attackers continue to innovate with file formats and obfuscation techniques. By hiding malicious redirects inside what appears to be a recipe, cybercriminals aim to bypass suspicion and steal valuable credentials. Organizations must remain vigilant, ensuring both technical defenses and user awareness training are strong enough to counter these evolving threats.

Source: https://www.malwarebytes.com/blog/news/2025/09/new-svg-based-phishing-campaign-is-a-recipe-for-disaster