Rise in phishing scams as SVG attachments target login data

Kaspersky has observed a sharp rise in phishing attacks delivered via SVG image files, with incidents increasing almost sixfold in March 2025 compared to the previous month.

The cybersecurity firm reported that attackers are distributing phishing emails to both individuals and organisations, using SVG (Scalable Vector Graphics) file attachments—a format typically associated with image storage—to lure recipients into disclosing sensitive information.

According to Kaspersky, opening one of these malicious SVG files leads unsuspecting users to phishing websites that mimic popular services from companies like Google and Microsoft. These fraudulent pages are designed to capture login credentials, placing victims at risk of significant personal and financial harm. The company has detected over 4,000 such emails globally since the start of 2025.

SVG files use XML, a markup language supporting rules to define various data types. While this format is intended to help designers incorporate text, formulas and interactive features into images, its compatibility with JavaScript and HTML has made it attractive to cybercriminals. Attackers can embed scripts within SVG files that redirect victims to phishing websites when the file is opened, often exploiting recipients' curiosity about image attachments.

In a typical scenario described by Kaspersky, the SVG attachment functions as an HTML page that contains no actual graphics. When opened, the file displays a web page with a link purporting to be an audio file. Clicking the link redirects the user to a phishing page designed to resemble Google Voice, where the supposed audio is merely a static image.

Further interaction, such as pressing the "Play Audio" button, leads users to a fraudulent corporate email login page. This imposter site includes references to Google Voice and incorporates the logos of targeted companies to enhance its credibility and persuade users to enter their credentials.

Kaspersky also documented a variation on this approach, where attackers sent phishing emails that appeared to be notifications from an e-signature service. In this instance, the SVG attachment was presented as a document requiring review and signature. Instead of acting as an HTML page, the SVG contained JavaScript that, once opened, triggered a browser window displaying another fake login page—this time imitating a Microsoft service.

Roman Dedenok, Anti-Spam Expert at Kaspersky, commented, "Phishers are relentlessly exploring new techniques to circumvent detection. They vary their tactics, sometimes employing user redirection to confuse, and other times, experimenting with different attachment formats. Attacks with SVG attachments are showing a clear upward trend. While currently these attacks are relatively basic, with SVG files containing either a phishing link page or a redirection script to a fraudulent site, the use of SVG as a container for malicious content can also be employed in more sophisticated targeted attacks."

Kaspersky offered several recommendations to help individuals and businesses avoid falling victim to these campaigns. The guidance includes only opening emails and clicking links if the sender is trusted, double-checking potentially strange messages through alternative means of communication, carefully inspecting website URLs for subtle errors—such as replacing a letter with a similar-looking number—and using reputable security solutions when browsing the internet.