![\"Man](\"https:\/\/www.europesays.com\/us\/wp-content\/uploads\/2025\/07\/1752906970_314_960x0.jpg\")
<\/p>\n<\/p>\n
You will not see this attack.<\/p>\n
getty<\/p>\n
Republished on July 19 with new analysis into this dangerous image email attack.<\/p>\n
Here we go again. There\u2019s a fast growing threat in your inbox that\u2019s hard to detect \u2014 even for security software on your PC. This has \u201cseemingly come out of nowhere<\/a>,\u201d but you need to be aware. And it means deleting a raft of incoming emails.<\/p>\n The new warning comes courtesy of Ontinue<\/a>, which says \u201cthreat actors are increasingly leveraging Scalable Vector Graphics (SVG) files as a delivery vector for JavaScript-based redirect attacks.\u201d Plenty of these images, \u201ccommonly treated as harmless\u201d contain \u201cembedded script elements\u201d that lead to browser redirects. And that\u2019s a huge risk.<\/p>\n While these images might be .SVG attachments, as we have seen before<\/a>, they could also be links to external images pulled into the email. And the campaign also relies on spoofed domains and email lures to trick users into opening and engaging.<\/p>\n ForbesApple\u2019s Next iPhone Upgrade May Be Bad News For GoogleBy Zak Doffman<\/a><\/p>\n As Sophos<\/a> explains, the SVG file format \u201cis designed as a method to draw resizable, vector-based images on a computer. By default, SVG files open in the default browser on Windows computers. But SVG files are not just composed of binary data, like the more familiar JPEG, PNG, or BMP file formats. SVG files contain text instructions in an XML format for drawing their pictures in a browser window.\u201d<\/p>\n VIPRE<\/a> warns that \u201cup until this point, SVGs have been recognized by email security tools as generally benign image files, which is why attackers are now having so much success hiding their nefarious exploits in them.\u201d<\/p>\n Looking at these latest attacks, SlashNext\u2019s J Stephen Kowski told me \u201cwhen you open or preview these \u2018images,\u2019 they can secretly redirect your browser to dangerous websites without you knowing.\u201d That means you need to be \u201cextra careful\u201d with images.<\/p>\n Because these attackers leverage spoofed domains and senders to trick you, it isn\u2019t as easy as just avoiding emails from unknown senders. Instead, you should delete any email with an .SVG attachment unless you\u2019re expecting it. And you should allow your browser to block external images until you\u2019re certain of their origin.<\/p>\n Kowski says these emails will also likely be \u201cpushy about viewing the image right away,\u201d and while \u201cyour email provider\u2019s built-in security features, such as spam filtering and safe attachments, can help, they\u2019re not perfect against these newer tricks.\u201d<\/p>\n Jason Soroko from Sectigo goes even further, warning security teams to \u201ctreat every inbound SVG as a potential executable,\u201d as the surge in such attacks continues.<\/p>\n The real threat though lies in user complacency. SVG attacks, VIPRE says, are now tussling with PDFs to become \u201cattackers\u2019 favorite attachments of choice.\u201d These are only images, most users assume, and so no click-throughs, no harm.<\/p>\n