Can SVG Files Contain Malware? Understanding How Attackers Use SVGs for JavaScript-Based Phishing (2025 Guide)

In 2025, cybercriminals have increasingly begun using Scalable Vector Graphics (SVG) files as malware delivery mechanisms. Unlike traditional phishing methods, these attacks embed obfuscated JavaScript directly into SVG images, bypassing email filters and endpoint security systems. The moment a user previews or opens the SVG, hidden scripts trigger redirection to credential-stealing websites, often mimicking Microsoft 365 login portals. This blog explains how SVG JavaScript smuggling works, why it’s hard to detect, real-world attack examples, and practical steps businesses and individuals can take to protect themselves from this rising threat.

  Security News & Threat Intelligence   Jul 18, 2025   30  Add to Reading List
Can SVG Files Contain Malware? Understanding How Attackers Use SVGs for JavaScript-Based Phishing (2025 Guide)

Table of Contents

If someone sent you an image file that looks harmless—like an icon or a "missed call" notification—would you click it? Many people would, and that’s exactly what cyber attackers are counting on in 2025.

Attackers have found a sneaky new trick: they’re turning SVG (Scalable Vector Graphics) files into malware delivery systems. These aren’t ordinary pictures—they hide dangerous JavaScript code that can steal your passwords the moment you open them in your browser.

Let’s break down how it works, why it’s so hard to detect, and what businesses and individuals can do to stay safe.

What’s Actually Happening?

  • Attackers use SVG files because email filters treat them like safe image files.

  • Inside these SVG files is hidden JavaScript code.

  • When a victim previews or opens the SVG file, the JavaScript runs quietly.

  • Victims are redirected to fake websites (like fake Microsoft 365 login pages).

  • Usernames and passwords are stolen without needing to download or run a program.

Real-World Example:
Imagine receiving an email saying “You missed a call” with a tiny icon attached. When you open it, your browser quietly connects to an attacker’s server. You see a login page that looks like Microsoft 365, but it’s fake. You type your password… now they have your credentials.

Why Are SVG Files Being Used?

SVG files are not new; they’re used all over the web for logos, icons, and illustrations. What’s different now:

  • Browsers automatically render SVGs.

  • Security software often ignores SVG files thinking they’re “just images.”

  • Attackers don’t need you to install anything—they just need you to open the file.

Technical Trick: JavaScript Smuggling in SVG

Inside each malicious SVG, there’s:

  • A script tag containing encrypted JavaScript.

  • A decoding function that unlocks the hidden JavaScript using a small key.

  • Code that sends users to an attacker-controlled website.

For example: 

window.location.href = atob(
  'aHR0cHM6Ly93dnJ6LmxmdGt2b2cubmV0L...'
) + token;

The atob() function translates the hidden address, so anti-virus software can’t easily spot it.

Why Traditional Security Tools Struggle to Detect It

  • No executable files involved.

  • Looks like a normal image attachment.

  • Dynamic redirection based on country or IP address.

  • Uses Base64 and XOR encryption to hide the script.

It’s smart and dangerous because most companies only scan for things like .exe or .zip attachments—not .svg images.

Real Impact: Who’s Being Targeted?

  • B2B Service Providers

  • SaaS Companies

  • Regular Office Users with Microsoft 365 accounts

Companies that don’t have strict email policies (like DMARC enforcement) are especially vulnerable.

Spotted by:
Analysts at Ontinue security firm tracked these attacks across service providers and SaaS platforms. They noticed unique Base64 strings inside the SVGs that help attackers track each victim individually.

How Can You Protect Yourself?

For Businesses:

  • Quarantine all unsolicited SVG email attachments.

  • Enable Content Disarm & Reconstruction (CDR).

  • Set DMARC email security policies to reject suspicious emails.

  • Invest in email security solutions that scan image files for hidden scripts.

  • Educate employees about phishing techniques.

For Regular Users:

  • Don’t open unknown SVG or image attachments.

  • If an email looks too simple (like “Missed Call”), be suspicious.

  • Always check the website address before entering your login details.

A Quick Table Summary

Feature Details
Attack Vector Malicious SVG attachments in emails
Main Goal Steal login credentials via hidden JavaScript
How It Works JavaScript smuggling with Base64, XOR encoding
Detection Difficulty Very High (bypasses traditional filters)
Prevention Measures Quarantine SVGs, enable CDR, strict DMARC
Targets Microsoft 365 users, SaaS companies, B2B firms

Conclusion

Cyber criminals are always evolving. While once they relied on convincing users to download software or click on suspicious links, now even simple image files can be weapons.

The takeaway is clear: if your business or personal security relies only on detecting executable files, that’s not enough anymore.

SVG files might look like harmless images—but in the hands of a skilled attacker, they can become silent thieves.

FAQs 

What is SVG malware?

SVG malware refers to malicious scripts embedded within Scalable Vector Graphics (SVG) files. Attackers hide JavaScript code inside SVGs to bypass security systems and steal sensitive information like login credentials.

Can opening an SVG file infect my computer?

Yes, opening or previewing a malicious SVG file in a web browser can execute hidden JavaScript, redirecting you to phishing sites or initiating other attacks.

How do attackers use SVG files in phishing campaigns?

Attackers embed obfuscated JavaScript in SVG email attachments. When users open the file, it triggers redirects to fake login pages designed to steal credentials.

Why are SVG files used instead of traditional malware?

SVG files are treated as harmless images by many security filters, allowing them to bypass defenses that block executables, scripts, or archives.

Is SVG JavaScript smuggling a new cyber threat?

While not brand new, SVG JavaScript smuggling has seen a surge in 2025 due to improved evasion techniques and its effectiveness in phishing campaigns.

How does JavaScript smuggling work inside SVG files?

Attackers encrypt JavaScript payloads within SVGs using methods like Base64 and XOR keys. When opened, a hidden function decrypts and runs the code in memory.

What’s the risk level of SVG-based phishing attacks?

SVG-based phishing attacks are considered high risk because they bypass multiple layers of security and do not require users to download executable files.

How can I detect SVG malware?

Detecting SVG malware requires deep content inspection tools that analyze embedded scripts in image files or monitoring unusual behavior in browsers and email systems.

What tools can inspect SVG files for malware?

Advanced email security platforms, SIEM systems, and content disarm & reconstruction (CDR) tools are effective in detecting hidden scripts within SVG files.

Can antivirus software detect malicious SVG files?

Most traditional antivirus programs may not detect SVG malware unless they specifically scan for script tags or obfuscated JavaScript inside image files.

What is Content Disarm and Reconstruction (CDR)?

CDR is a security technique that strips active content from files like SVGs, allowing only the safe, visible parts of the file through to the end-user.

What types of organizations are most at risk?

SaaS providers, B2B service companies, and organizations using Microsoft 365 are particularly targeted by SVG phishing attacks due to their reliance on browser-based platforms.

How does DMARC help against SVG phishing attacks?

Strict DMARC policies help prevent spoofed email domains, reducing the risk of phishing emails carrying malicious SVG files reaching your inbox.

Can SVG files contain obfuscated JavaScript?

Yes, attackers use obfuscation techniques like Base64 encoding, XOR encryption, and dynamic function creation to hide malicious JavaScript in SVG files.

What is a real-world example of SVG malware?

Ontinue security researchers identified SVG-based phishing waves targeting service providers with fake missed call notifications containing hidden JavaScript.

Are SVG malware attacks limited to email?

No, attackers can also distribute malicious SVGs through websites, chat apps, or file-sharing platforms, although email remains the most common vector.

How do attackers track victims using SVG phishing?

Attackers embed unique tracking strings inside each SVG file to map which user opens the file and clicks through to the phishing site.

How does browser behavior impact SVG malware detection?

Since browsers render SVG files natively, they automatically execute any embedded JavaScript without showing installation prompts, making detection harder.

What is the role of Base64 encoding in SVG malware?

Base64 encoding hides malicious URLs or scripts inside SVG files, helping attackers bypass content scanning and making reverse engineering more difficult.

Can opening SVG files offline trigger malware?

Generally, SVG malware relies on online redirects. Opening a malicious SVG file offline is unlikely to trigger its payload unless it includes embedded offline exploits.

What are self-decoding SVG scripts?

Self-decoding SVG scripts contain encrypted payloads that automatically decrypt and execute themselves using in-browser JavaScript functions when opened.

How do security teams handle SVG phishing incidents?

Security teams isolate affected systems, analyze email telemetry, inspect user accounts for unauthorized access, and implement stricter email filtering rules.

What does “zero persistence” mean in SVG malware?

Zero persistence means the malware doesn’t install anything on the victim’s system. It operates only in memory or browser sessions, making forensic detection harder.

How do attackers avoid sandbox detection with SVG files?

Attackers use geofencing to detect if an SVG file is opened in a sandbox outside their target region, serving benign content instead of malicious payloads.

What kind of phishing pages are used with SVG malware?

Attackers commonly use Microsoft 365 look-alike login pages designed to harvest user credentials once victims are redirected from the SVG file.

Is blocking SVG attachments a good security measure?

Yes, blocking unsolicited SVG attachments is a recommended step for organizations until security tools can accurately inspect these file types.

Can SVG images on websites also carry malware?

Yes, if hosted by an attacker-controlled website, SVG images embedded in web pages can contain malicious scripts that execute in a visitor’s browser.

What is deep content inspection?

Deep content inspection is an advanced security method that scans file content—including images and attachments—for hidden threats like embedded scripts.

How do I set DMARC to reject suspicious emails?

You can set your DMARC policy by updating your domain’s DNS record with a policy value of p=reject to block all unauthorized emails.

What’s the difference between SVG malware and traditional phishing?

SVG malware relies on file format tricks and browser rendering, whereas traditional phishing usually involves links or attachments that directly download malicious executables.

Why is SVG phishing considered a next-gen attack?

SVG phishing avoids traditional malware markers, leverages file types users trust, and uses browser-based execution, making it harder for legacy security systems to detect.

Join Our Upcoming Class!

Tags