Do Son 
Over the past six months, SVG files have unexpectedly emerged as a favored weapon in the arsenal of cybercriminals, increasingly used to launch phishing attacks via email. This method of delivering malicious code is rapidly gaining traction, with a growing number of companies reporting a sharp surge in such threats.
According to reports from more than a dozen organizations—including AhnLab, Cloudflare, Forcepoint, Intezer, Kaspersky, Keep Aware, KnowBe4, Mimecast, Sophos, Sublime Security, Trustwave, and VIPRE—the use of SVG files in phishing campaigns has become a pronounced trend. Particularly noteworthy is the analysis by Sublime Security: in the first quarter of 2025, such attachments already accounted for 1% of all phishing attempts detected by their system.
Yet the statistics become truly alarming when examining the trajectory. Compared to the fourth quarter of 2024, the number of phishing-related SVG files has surged by a staggering 47,000%. This marks not merely a spike in interest, but an outright explosion—one that shows every sign of becoming a long-term fixture in the threat landscape.
The root of the problem lies in the inherent nature of the format. Unlike conventional image files, SVGs are textual XML documents in which shapes are defined by mathematical formulas. When opened, a browser or email client interprets the code and renders the image in real time. This means the user sees not a static picture, but the visual output of executed code.
Herein lies the critical vulnerability: SVG files can embed not only graphical descriptions but also full-fledged HTML and JavaScript components—the very building blocks of modern web development. This effectively transforms an image into an executable container.
Rather than luring users to malicious websites, attackers now embed their payloads directly within the SVG file itself. A common scenario involves a logo embedded in an email signature. When the recipient opens the message, the embedded script silently renders a phishing page within the email client itself. Any credentials entered on that page are instantly transmitted to the attacker. Some variants can even bypass two-factor authentication.
In certain cases, the SVG file can autonomously redirect the user to a malicious website without any interaction—simply opening the email is enough. The browser or email client reads the file and executes the embedded script.
Cloudflare’s security team aptly described SVG files as “programmable documents”—a definition that captures the core of the issue: these “images” are capable of executing arbitrary code and behaving like active content, rather than passive graphics.
Attempts to exploit SVG files for phishing have been observed before—the first warnings surfaced in November of last year. However, the current escalation signals that this is not a fleeting trend but a formidable and deeply entrenched threat. Experts warn that the situation will remain dire unless major email providers—such as Gmail, Hotmail, and iCloud Mail—begin aggressively filtering SVG content, restricting the execution of interactive components, or outright banning the format from emails altogether.
Donate