You will not see this attack.
getty
Republished on July 19 with new analysis into this dangerous image email attack.
Here we go again. Thereâs a fast growing threat in your inbox thatâs hard to detect â even for security software on your PC. This has âseemingly come out of nowhere,â but you need to be aware. And it means deleting a raft of incoming emails.
The new warning comes courtesy of Ontinue, which says âthreat actors are increasingly leveraging Scalable Vector Graphics (SVG) files as a delivery vector for JavaScript-based redirect attacks.â Plenty of these images, âcommonly treated as harmlessâ contain âembedded script elementsâ that lead to browser redirects. And thatâs a huge risk.
While these images might be .SVG attachments, as we have seen before, they could also be links to external images pulled into the email. And the campaign also relies on spoofed domains and email lures to trick users into opening and engaging.
ForbesAppleâs Next iPhone Upgrade May Be Bad News For GoogleBy Zak Doffman
As Sophos explains, the SVG file format âis designed as a method to draw resizable, vector-based images on a computer. By default, SVG files open in the default browser on Windows computers. But SVG files are not just composed of binary data, like the more familiar JPEG, PNG, or BMP file formats. SVG files contain text instructions in an XML format for drawing their pictures in a browser window.â
VIPRE warns that âup until this point, SVGs have been recognized by email security tools as generally benign image files, which is why attackers are now having so much success hiding their nefarious exploits in them.â
Looking at these latest attacks, SlashNextâs J Stephen Kowski told me âwhen you open or preview these âimages,â they can secretly redirect your browser to dangerous websites without you knowing.â That means you need to be âextra carefulâ with images.
Because these attackers leverage spoofed domains and senders to trick you, it isnât as easy as just avoiding emails from unknown senders. Instead, you should delete any email with an .SVG attachment unless youâre expecting it. And you should allow your browser to block external images until youâre certain of their origin.
Kowski says these emails will also likely be âpushy about viewing the image right away,â and while âyour email providerâs built-in security features, such as spam filtering and safe attachments, can help, theyâre not perfect against these newer tricks.â
Jason Soroko from Sectigo goes even further, warning security teams to âtreat every inbound SVG as a potential executable,â as the surge in such attacks continues.
The real threat though lies in user complacency. SVG attacks, VIPRE says, are now tussling with PDFs to become âattackersâ favorite attachments of choice.â These are only images, most users assume, and so no click-throughs, no harm.
ForbesApple WarningâDo Not Make These Calls On Your iPhoneBy Zak Doffman
Bambenek Consultingâs John Bambenek says this is âa fresh spin on the technique of using image files for delivering suspect content, in this case, malicious PDFs. The attackers have to rely on complacency (âitâs only an image, it doesnât execute codeâ) to lull organizations into accepting this content and getting it on the inside of a network.â
Ontinue says âthe observed targets of this campaign fall into B2B Service Providers, including the ones handling valuable Corporate Data regularly, including Financial and Employee data, Utilities, Software-as-a-Service providers that are great social engineering targets as they expect to receive a high volume of emails.â
The payload itself âis delivered via an .SVG file that contains a JavaScript block hidden within a CDATA section. The embedded code uses a static XOR key to decrypt a secondary payload at runtime. This decoded script reconstructs and executes a redirect command using the Function() constructor.â
And the team warns âthis technique demonstrates how adversaries are shifting away from executable payloads and towards smuggling (HTML and now SVG) techniques. By embedding script logic into image formats and using trusted browser functions, the attack chain avoids triggering traditional behavioral or signature-based alerts.â
The emails containing the attachments or links will be simple, âusing a minimal format to avoid detection and provoke curiosity or interaction.â Hijacking poorly protected domains or spoofing others with special characters enhances the lure.
âWhile this report and research is valuable to enterprises,â Bambenek says, âand the search valuable for hunt teams, organizations without a security staff or end consumers will remain vulnerable to conventional cybercrime with this technique.â
âThis SVG attack vector is exactly what weâve been tracking,â Kowski warns. âAttackers have exhausted much of the text-based social engineering playbook over the last ten years and are now getting creative with content payloads to execute malicious code.â And this is easily done because âattackers can easily spoof trusted senders, making recipients more likely to open what appears to be an innocent image file.â
ForbesDo Not Use This WiFi Setting On Your iPhone Or Android PhoneBy Zak Doffman
âThe beauty of SVG files from an attackerâs perspective,â he told me, âis that they look like harmless images but can contain embedded JavaScript that runs the moment someone opens the file in a browser, bypassing traditional email security that focuses on executable attachments.â Which means users need a new defensive playbook.
And so the advice is just as simple. If youâre not expecting an email which includes image links or .SVG attachments, delete them from your inbox. âThis campaign highlights a creative pivot in attacker methodology,â the team says, âusing benign file formats to hide malicious logic and evade established detection controls.â
Which is another way of saying that youâre your own best defense.