Over the past year, Phishguard observed an increase in phishing campaigns leveraging Scalable Vector Graphics (SVG) files as initial delivery vectors, with attackers favoring this format due to its flexibility and the challenges it presents for static detection.
SVGs are an XML-based format designed for rendering two-dimensional vector graphics. Unlike raster formats like JPEGs or PNGs, which rely on pixel data, SVGs define graphics using vector paths and mathematical equations, making them infinitely scalable without loss of quality. Their markup-based structure also means they can be easily searched, indexed, and compressed, making them a popular choice in modern web applications.
However, the same features that make SVGs attractive to developers also make them a highly flexible - and dangerous - attack vector when abused. Since SVGs are essentially code, they can embed JavaScript and interact with the Document Object Model (DOM). When rendered in a browser, they aren’t just images - they become active content, capable of executing scripts and other manipulative behavior. In other words, SVGs are more than just static images; they are also programmable documents.
The security risk is underestimated, with SVGs frequently misclassified as innocuous image files, similar to PNGs or JPEGs - a misconception that downplays the fact that they can contain scripts and active content. Many security solutions and email filters fail to deeply inspect SVG content beyond basic MIME-type checks (a tool that identifies the type of a file based on its contents), allowing malicious SVG attachments to bypass detection.
We’ve seen a rise in the use of crafted SVG files in phishing campaigns. These attacks typically fall into three categories:
Redirectors - SVGs that embed JavaScript to automatically redirect users to credential harvesting sites when viewed
Self-contained phishing pages - SVGs that contain full phishing pages encoded in Base64, rendering fake login portals entirely client-side
DOM injection & script abuse - SVGs embedded into trusted apps or portals that exploit poor sanitisation and weak Content Security Policies (CSPs), enabling them to run malicious code, hijack inputs, or exfiltrate sensitive data
Given the capabilities highlighted above, attackers can now use SVGs to:
Gain unauthorized access to accounts
Create hidden mail rules
Phish internal contacts
Steal sensitive data
Initiate fraudulent transactions
Maintain long-term access
Our telemetry shows that manufacturing and industrial sectors are taking the brunt of these SVG-based phishing attempts, contributing to over half of all targeting observed. Financial services follow closely behind, likely due to SVG’s ability to easily facilitate the theft of banking credentials and other sensitive data. The pattern is clear: attackers are concentrating on business sectors that handle high volumes of documents or frequently interact with third parties.
