I’ve known for some time that .svg email attachments could be malicious, but this is the first time I’ve actually run across one. First, what is a .svg file? It’s a Scalable Vector Graphic file. Even though it’s typically displayed as an image, if you look at the source of the file, it’s essentially an xml file. I alerted my team of the possibility of these files being malicious a few months ago. I didn’t post here because I didn’t have an example of a malicious svg file. Now I do, so here it is.
First, here is the email. It was sent from what appears to be a compromised email account since it was sent from hosts authorized in the SPF record to send using this domain. However, the domain isn’t protected by DMARC so it’s unlikely they take email security seriously. It’s posing as an Adobe shared file, saying to use the attachment to access the files.
Looking at the source of the .svg file attachment, you can see the xml. It contains a script designating the source in the included base64 text. You’ll see I removed portions of the text that specify the email address of the recipient.
Decoding the base64, you can see an obfuscated script:
If you load it into a browser, which I did through Any.Run, you can see it ends up at a phishing page posing as an M365 signin page.
I’d love to block all SVG files due to how easy it is to put together a malicious file, much like wanting to do this with html files, it’s not feasible since they are too commonly used in legitimate emails.
–Matt