• SVG files in email attachments: Danger by malicious code

Attached SVG file: Danger from malicious code

Stefan Feist | Technischer Redakteur
Author: Stefan FeistTechnical WriterConnect on LinkedIn

Most people know SVG files as a harmless format for vector graphics that is often used for logos, icons or diagrams. But SVG can do more than most people realize, or even more than they would like. Read our blog article to find out why SVG is currently becoming a growing threat and how you can protect yourself against attacks using SVG files.

04.07.2025|Last edited:04.07.2025

Why are SVG files dangerous?

Recently, criminals have been increasingly using SVG files to carry out malware and phishing attacks. At first glance, SVG files are considered harmless – after all, they are simple vector graphics.

However, SVG files are essentially XML documents, which means that they can contain various code elements in addition to pure graphic descriptions. Some of these are useful, others are potentially dangerous.

One of the dangerous elements or code types in SVG files is JavaScript, which enables XSS smuggling or HTML smuggling when embedded directly in the browser. This is intended to lure victims to fake login pages or trick them into installing malware.

Danger not recognizable

What makes attacks with SVGs so dangerous is also the fact that phishing is invisible in a way: as the malware is hidden in the XML code, the attack takes place completely in the background. This in turn makes technical defense measures all the more important. Other measures such as employee sensitization are largely ineffective.

The Austrian CERT points out that opening SVG files offers attackers numerous opportunities:

  • JavaScript code can be executed on the victim’s system.
  • Malware can be downloaded and installed.
  • Phishing forms can be displayed directly in the SVG file.
  • Automatic redirects to malicious websites can be triggered.
  • Login data and other sensitive information can be stolen.

The aim is almost always to steal passwords or other login data. The SVGs often come in the form of invoices, alleged voice messages or documents to be signed.

How does an attack with SVG files work?

The starting point is always the circulation of the malicious SVG file, for example via phishing emails with attachments or messenger services (LinkedIn, WhatsApp Web). An example would be a supposed PowerPoint presentation that is actually just an image in SVG format showing the first page of a presentation.

Example: SVG Smuggling with the file invoice.svg

<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200">

  <script type="text/javascript">

    <![CDATA[

      const zipData = atob("UEsDBAoAAAAAA..."); // stark gekürzte Base64-ZIP

      const blob = new Blob([zipData], { type: "application/zip" });

      const link = document.createElement("a");

      link.href = URL.createObjectURL(blob);

      link.download = "invoice.zip";

      link.click();

    ]]>

  </script>

  <text x="10" y="50" font-size="20">Loading...</text>

</svg>
Explanation:

Enables the insertion of JS code in the XML context

atob(…) Decodes a Base64-encoded ZIP file

Blob(…) Creates a file in the working memory

createObjectURL(…) Creates a download link in the browser

link.click() Simulates a click to trigger the download automatically

Latest case: Strela Stealer

CERT.at is currently observing an increased number of SVG-based phishing campaigns in Austria that spread the Strela Stealer. This malware is specifically designed to steal login data for email accounts.

Typically, such an attack begins with an email containing a manipulated SVG file in the attachment, which is often disguised as a seemingly legitimate file, such as “invoice_12345.svg”. If the victim opens the file, for example by clicking on it in the email client or browser, the JavaScript embedded in it is activated. After minimal interaction, this script automatically executes the next stage of the attack and downloads a ZIP file to the victim’s system.

The downloaded ZIP file contains a JScript file that acts as a loader. Once started, this loader checks certain system conditions and then downloads the actual malicious functionality. In the variant currently observed, these are PowerShell scripts.

Protection against dangerous SVG files – what you need to do now

In general, it is important to be careful when handling SVG files: Do not open SVG files from unknown emails, ZIP archives or messenger messages, especially if these files have generic names such as Angebot12345.svg or similar. It is also advisable not to open SVGs in the browser, but in graphics programs.

NoSpamProxy customers can block malicious SVG files by configuring a corresponding condition in the content filter using *.svg:

NoSpamProxy Server: Blocking SVG files
NoSpamProxy Cloud: Blocking SVG files

Depending on the content filter action, the attachment can then be removed, uploaded to the Web Portal or the entire email can be rejected. However, as SVG is a legitimate format, it can be problematic to reject emails with SVG files in principle or to remove the attachments. This is where the Level of Trust system comes in, which can be used to distinguish between known and unknown communication partners.

Not yet using NoSpamProxy?

With NoSpamProxy you can reliably protect your company from scamming attacks and benefit from many other security functions. Request your free trial version now!

Get your free NoSpamProxy trial now!
NoSpamProxy Cloud June update: Rollout startedNoSpamProxy UpdateWarum Sie ARC in NoSpamProxy jetzt aktivieren sollten PreviewWhy you should activate ARC in NoSpamProxy now