Cybercriminals Weaponize Graphics Files in Phishing Attacks – Source: www.infosecurity-magazine.com

Cybercriminals have ramped up their use of graphics files to spread malicious links and malware during email phishing attacks, according to new research by Sophos.

The tactic is designed to bypass conventional endpoint or mail protection tools.

Attackers have been observed using the graphics file format scalable vector graphics (SVG) for this purpose. SVGs contain Extensible Markup Language (XML)-like text instructions to draw resizable, vector-based images on a computer.

Andrew Brandt, Principal Researcher at Sophos X-Ops, told Infosecurity that some anti-spam tools may not consider SVG files a threat because it is intended as a graphics file.

“Even in cases where SVG files are inspected and parsed by these tools, the threat actors may be using SVG files because some kinds of content scanning technology may not recognize the patterns or the way the malicious content is constructed inside the SVG file,” Brandt added.

SVG files provide a range of advantages for threat actors:

• They open in the default browser on Windows computers
• They can contain anchor tags, scripting and other kinds of active web content, enabling attackers to include an anchor tag that links to a web page hosted elsewhere
• They can be used to draw a range of shapes and graphics, allowing attackers to impersonate multiple entities

Brandt noted: “The SVG format provides the threat actors with yet another set of methodologies to conceal or obfuscate malicious content inside.”

The researchers first observed the spread of malicious SVG file attachments in late 2024 and this approach has accelerated since mid-January 2025.

How SVG Phishing Attacks Work

Sophos said it has observed attackers use multiple subject lines and lures to entice targets to click on malicious SVG images.

These lures included new voicemails, contracts, payment confirmation and health and benefits enrolment.

The attacks also impersonate a number of well-known brands and services, including DocuSign, Microsoft SharePoint, Dropbox and Google Voice.

Additionally, versions were discovered that targeted difference languages, based on the top-level domain of the recipient.

The simplest of the malicious SVG files contain one or a few lines of hyperlinked text, such as “Click to Open.”

Other more elaborately constructed files have embedded images designed to impersonate well-known brands.

The links take the victims to phishing pages hosted on attacker-controlled domains. Nearly all of the observed pages were gated with a CloudFlare CAPTCHA to prevent automated visits.

The sites also prefetch the content of the Office365 login dialog from login.live.com and present the target with all the expected animations familiar to an O365 user.

When the target inputs their login details, most of the sites will immediately capture the text input and exfiltrate it directly to the domain hosting the iFrame the login dialog appears in.

In a few cases, the credentials were transmitted to multiple sites simultaneously. One session even passed the credentials to a Telegram bot using the messaging service’s API.

New Phishing Techniques Bypassing Security

The use of graphics files to steal credentials and deliver malware highlights the novel phishing tactics being employed to bypass defenses. 

This includes the types malicious links and files used, such as QR codes, which are designed to evade optical character recognition (OCR)-based defenses.

Domain spoofing to impersonate brands has also become commonplace.

In July 2024, Guardio Labs reported that cybercriminals exploited a modifiable configuration setting in Proofpoint’s email protection service. This enabled threat actors to create emails mimicking official Proofpoint email relays with authenticated Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures.

Check Point researchers revealed in December 2024 that cybercriminals bypassed email security measures by using Google Calendar and Drawings to send seemingly legitimate invites containing malicious links.

Attackers have also become more adept at bypassing multi-factor authentication (MFA) protections during phishing campaigns.

In a recent campaign observed by Abnormal Security, attackers leveraged spoofed login pages to steal credentials and bypass MFA using Microsoft Active Directory Federation Services (ADFS), a single sign-on solution.