Attackers Hide JavaScript in SVG Images to Lure Users to Malicious Sites

A new form of cyberattack is on the rise, with hackers now using seemingly harmless Scalable Vector Graphics (SVG) image files to sneak malicious code past traditional defences, reveals the latest research from the Ontinue Advanced Threat Operations team.

This technique, dubbed “SVG Smuggling” by researchers, weaponises these typically benign image files to redirect users to attacker-controlled websites without their knowledge. Ontinue’s findings, shared with Hackread.com, highlight these targeted attacks, primarily aimed at B2B Service Providers, including firms handling sensitive corporate data (like financial and employee information), Utilities, and SaaS providers, all frequently susceptible due to high email volumes.

****Phishing Lure****

The attack begins with deceptive emails crafted by cybercriminals using themes like “ToDoList,” “Missed Call,” or “Payment” notifications. These are highly convincing phishing emails that appear to come from trusted sources or individuals, exploiting weak or absent security measures such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

These are all email authentication methods designed to verify that an email is legitimate and hasn’t been faked. Sometimes, attackers even use lookalike domains – web addresses that closely resemble legitimate ones – to trick users.

The malicious SVG file can be attached directly to the email or linked as an external image. The emails themselves are often kept very simple to avoid suspicion and encourage the recipient to open the SVG, which then triggers the hidden script.

****Attack Details****

Attackers use temporary, low-reputation domains with random subdomains to host their malicious infrastructure, making them hard to track and block. This evolving threat involves embedding hidden, obfuscated JavaScript code within SVG files, often within <script><!]></script> sections. When a user opens or previews such an SVG in a web browser, the concealed script runs silently.

This script, using a static XOR key to decrypt its payload, then uses built-in browser functions like window.location.href (which changes the current web page address) and atob() (which decodes scrambled data) to send the victim to a fraudulent site. The final redirect URL often includes Base64-encoded strings, likely used for victim tracking or correlation.

****Protecting Against SVG Smuggling****

As per Ontinue security experts, this technique bypasses many common tools by hiding harmful code in images. To counter, organisations should activate Microsoft Defender features like Safe Links, Safe Attachments, Anti-Phishing policies, and Zero-hour Auto Purge (ZAP). Strengthening email security with DMARC, SPF/DKIM alignment, blocking SVG attachments, or content disarmament is vital. Monitoring lookalike domains and user education on SVG risks are also critical steps to stay protected.

“This is a fresh spin on the technique of using image files for delivering suspect content, in this case, malicious PDFs. The attackers have to rely on complacency (“it’s only an image, it doesn’t execute code”) to lull organisations into accepting this content and getting it on the inside of a network,“ said John Bambenek, President at Bambenek Consulting.

“While this report and research is valuable to enterprises, and the search is valuable for hunt teams, organisations without a security staff or end consumers will remain vulnerable to conventional cybercrime with this technique,“ he added.