Email security threats from image-based malware

Here’s an interesting attack vector that’s surged by 1800% in last one year: We all know the usual suspects for delivering malware: PDFs, DOCs, EXEs, HTMLs.   But users are getting smarter. They hesitate. They double-check.   So attackers are asking themselves a simple question:   What’s the one file that looks totally harmless, easily gains a user’s trust to open, and yet can cause real harm?   The answer: An image file!   The attack vector: SVG-based Phishing! 𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄:   1) Attacker creates a malicious JavaScript (say to redirect to malicious site) > Encodes it into base64 format to evade detection. 2) Attacker now embeds this obfuscated script into an SVG file. Why SVG? Because it's XML-based, supports JavaScript, and looks like a harmless image.   3) Attacker now distributes the SVG file via phishing emails, messaging apps, or cloud storage links. The file name might be something catchy like invoice.svg or event-flyer.svg. 4) Victim opens the file in a browser > No download needed > The browser renders the SVG like any other image, but behind the scenes something else happens.   5) The embedded script executes in the context of the browser > It decodes the base64 payload > Redirects the victim to a phishing site > Drops a malware file on to the system > All of this just by opening 1 image! 𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀: 1) Attackers love SVGs for one reason: they look like images, but act like code.   2) SVGs aren't bitmap images (like JPG or PNG). Bitmaps are made of pixels. Each pixel has a fixed color and position. But SVGs are made of code (XML and HTML). That code describes shapes, colors, and even animations. SVGs can include JavaScript - actual executable code. 3) How easy is it to embed code in SVG? Easier than you'd imagine! Refer to attached pic that shows both the SVG code (to load a logo) + malicious embedded script. The output looks like an innocent looking logo image but once a user opens it, it redirects them to attacker site.   4) Security email gateways are not very effective at catching these for 2 reasons: 1) They consider SVG images as image rather than code 2) Using base64 encoding or dynamic string assembly, malicious code is hidden from scanners. Payload reveals itself only at the time of execution. Consider checking what level of support your current email security tool has for SVG phishing.   5) Detect .svg files with embedded <script> or <iframe> tags. These are rare in legit SVGs, but used by phishers.   6) Consider blocking SVGs in high-risk environments. If not, evaluate the option of flagging them with a warning to the user. If you enjoyed this or learned something, follow me at Rohit Tamma for more in future! #phishing #malware #threatdetection #infosec #cybersecurity #threathunting

Phishing emails are increasingly using SVG (Scalable Vector Graphics) attachments to avoid detection by security software. SVG files can display graphics, HTML, and execute JavaScript, making them useful for phishing attacks. These attachments are often used to present phishing forms or disguise as official documents, tricking users into downloading malware. MalwareHunterTeam has reported a rise in the use of SVG files in phishing campaigns. Due to their textual nature (XML), SVG files often bypass security detection tools. Since SVG attachments are rare in legitimate emails, they should be treated cautiously unless expected. This screenshot displays an altered SVG phishing sample (altered by NVISO) showing a "no-reply" Wikipedia email address. When a victim receives this SVG attachment, it includes their own email address. Upon opening, the SVG mimics a blurred Excel spreadsheet, with a green phishing form overlaid on top. The Wikipedia logo is fetched via a legitimate Clearbit logo service (through an HTTPS request to logo[.]clearbit[.]com, which can be detected). This entices the victim to enter their credentials to see the full spreadsheet. When the victim enters their password and clicks the "View Document" button, the credentials are sent to an attacker-controlled web server. #phishing #security #detection #awareness

NEW: The increasing use of "Scalable Vector Graphics" files by threat actors in cybercrime marks a concerning evolution in #phishing and #malware delivery tactics. Unlike raster image formats like JPG and PNG, which are composed of fixed grids of pixels, SVG files are based on XML text. This means SVG files store image data as mathematical instructions, allowing them to scale infinitely without loss of quality. This text-based nature makes SVG files versatile and lightweight but also exposes them to exploitation by the bad guys. Malicious actors embed phishing forms or JavaScript payloads directly into SVG files, enabling them to bypass traditional security measures that focus on binary-based malware or static image content. One key reason SVG files evade detection is their ability to seamlessly integrate malicious scripts or phishing content while appearing innocuous to end users and even some security tools. For example, a phishing form can be embedded entirely within an SVG attachment in an email, presenting a highly realistic fake login page to unsuspecting victims. Since many email filters and antivirus systems focus on identifying malicious executables or traditional phishing links, they may not scrutinize SVG attachments as closely. Of note: browsers and email clients widely support SVG files, making them an ideal vector for attackers. https://lnkd.in/gCABXJbX #auguryit #cybersec #emailsecurity

Can you get hacked by an image? We’ve been playing with email attachments at Arsen Cybersecurity, especially PDF given the recent attack patterns but by monitoring recent phishing threats, I stumbled upon a not-so-new technique using SVG to deliver payloads. SVG is a popular vector image format, so it’s a bit less suspicious than a .exe or .msi (or .iso 🙄) attachment in your mailbox. I’m just catching up with this but it’s been documented before and used by malwares like QakBot. TL;DR: using JS smuggling into SVG, it’s possible to make a dropper out of an SVG file. Detailed explanation: 1. You can add Javascript in SVG files 2. The JS decodes an obfuscated payload 3. Then creates a blob and an HTML link with a download attribute 4. Then clicks on said link 5. Browser saves the payload to disk Ping me if you want some resources in the comments ;) #cybersecurity #phishing #smuggling Image Credit: Outflank

Title: 🚨 Beware: Phishing Emails Now Using SVG Attachments to Evade Detection Body: Cybersecurity experts have identified a new phishing tactic where attackers use SVG (Scalable Vector Graphics) attachments to bypass traditional email security filters. Unlike standard image files, SVGs can embed scripts, allowing malicious actors to redirect users to harmful websites or download malware upon opening. Why is this important? Traditional security systems may not flag SVG files, increasing the risk of data breaches and financial loss. What should you do? Be cautious with unexpected email attachments, especially SVG files. Ensure your security software is updated and scans all file types. Educate your team about this emerging threat. Stay vigilant and protect your digital assets. #Cybersecurity #Phishing #EmailSecurity