Cyberattacks via SVG Files: Gmail, Outlook, and Dropbox Users Targeted
As modern cyberattack techniques become increasingly sophisticated, cybercriminals are turning to new and innovative methods. Recently, attackers have been using Scalable Vector Graphics (SVG) files to carry out phishing campaigns against Gmail, Outlook, and Dropbox users. This dangerous tactic helps bypass antivirus and spam filtering systems, allowing hackers to steal millions of users’ confidential data.
Although phishing attacks have always been widespread, cybercrimes involving SVG files have surged since January 2025. The reason is that SVG files are not just simple images but XML-based codes that can contain active web content such as JavaScript, HTML, and embedded links. Attackers exploit this feature to redirect users to phishing pages and distribute malicious software.
Many users are accustomed to image files in JPEG or PNG formats. However, the key difference with SVG format is that it not only stores images but can also contain active code. As a result, when a user opens such a file, it automatically launches in a browser and can redirect them to suspicious pages.
How Phishing Attacks via SVG Files Work:
1️⃣ Cybercriminals send phishing emails with attached SVG files.
2️⃣ When the user opens the file, the browser automatically launches and displays a phishing page.
3️⃣ This page is designed to closely resemble official login pages of services like Microsoft Office365, Dropbox, or DocuSign.
4️⃣ Once the user enters their login credentials, the information is sent to the attackers’ server.
The effectiveness of such attacks relies on social engineering tactics, as hackers use deception to trick users into interacting with phishing pages.
Common Phishing Themes Used in These Campaigns:
✅ “New Voicemail Received” – A message claiming you have a new voicemail.
✅ “Payment Confirmation – SWIFT [random code]” – Emails related to financial documents that lure users to phishing links.
✅ “E-Signature Required: Capital Financing Documents” – Fake messages requesting users to verify documents.
Hackers also impersonate popular services like Microsoft SharePoint, Google Drive, and DocuSign to make their phishing emails appear more legitimate.
Some SVG files can contain JavaScript code, which can redirect users to phishing pages without them clicking any links. Additionally, advanced phishing campaigns tailor pages based on the user’s language and geographical location.
Other Dangerous Techniques Used in These Attacks:
⚠ Base64-encoded malicious scripts: These scripts can be embedded in ZIP archives and may include keyloggers based on AutoIt. For instance, keyloggers like Nymeria have been used to steal personal data.
⚠ Examples of past attacks:
🔸 One campaign used SVG files to distribute a Trojan (Troj/AutoIt-DHB).
🔸 Another campaign imitated DocuSign pages, tricking users into downloading malicious HTML files.
How to Protect Yourself from These Phishing Attacks:
✅ Do not open SVG files directly in your browser. Instead, configure your system to open them in a text editor like Notepad.
✅ Avoid opening attachments from unknown senders or emails with suspicious subject lines.
✅ Verify website URLs before entering any credentials.
✅ Keep your antivirus software updated to detect threats like Cxmail/EmSVG-C.
✅ Enable two-factor authentication (2FA) on Gmail, Outlook, and other services.
The use of SVG files by cybercriminals marks a new phase in phishing attacks. What appears to be a simple image file can actually contain complex and malicious code. Therefore, both businesses and individuals must remain vigilant, strengthen email security, and implement advanced protective measures.
In today’s world, cybersecurity is not just about software or antivirus programs—it is about user awareness and taking proactive precautions. To stay protected from these emerging threats, it is essential to follow the recommended security measures.
