A fresh wave of phishing emails is exploiting a blind spot in enterprise email security tools — one that most organizations have not closed — by disguising executable JavaScript inside SVG image files that open silently in any Windows browser. SANS Internet Storm Center handler Xavier Mertens documented the technique in an analysis published this morning, June 2, 2026, after his inbox was flooded with the emails over the past several days. Security teams that have hardened their defenses against macro-laden Office documents and malicious PDFs may have no detection rule covering this vector at all.
The attack requires no special software, no user permission, and no deception beyond the appearance of an ordinary image attachment. Windows opens SVG files natively in the default browser. The moment a recipient double-clicks the attachment, the embedded script runs and the browser silently redirects to a credential-harvesting page tailored specifically to that recipient's email address.
This is not a niche experiment by a single threat actor. Malicious SVG attachments increased fifty-fold in 2025 compared to 2024, according to Hoxhunt's 2026 phishing trends research, and now rank as the third most common malicious attachment type in phishing email campaigns globally — behind only PDFs and HTML files. In a single SVG-based phishing campaign in February 2026, Microsoft tracked delivery of 1.2 million messages to more than 53,000 organizations across 23 countries.
What Makes SVG Files Dangerous as Email Attachments
Scalable Vector Graphics, or SVG, is an open web standard designed for icons and illustrations. Unlike JPEG or PNG files, which contain binary pixel data that no browser executes, SVG files are written in XML — the same markup language underlying web pages. That means an SVG file can contain script tags, anchor elements, and other active web content that a browser will process immediately upon opening.
The files in Mertens' analysis contain no graphical content at all. They are purely code: a few dozen lines of obfuscated JavaScript wrapped in the thinnest possible SVG shell. No icon appears, no image renders. The entire purpose of the SVG container is to reach the victim's browser while being classified as an image attachment by the email gateway.
How Attackers Defeat Phishing Attachment Detection: Two Obfuscation Layers
The payload inside each SVG attachment in the current campaign uses two stacked obfuscation techniques to conceal the redirect destination from automated scanners.
The malicious URL is first encoded in Base64 — a standard encoding scheme that replaces readable text with a string of letters and numbers — and then XOR-encrypted using a key that is split across two separate variables and assembled at runtime. A scanner that decodes the Base64 would still see only encrypted data; one that XOR-decrypts using the wrong key would see garbage. Reconstructing the actual destination URL requires knowing both that XOR encryption is in use and that the key is assembled from two concatenated values in the script — details that are not apparent without manual analysis.
The recipient's own email address is also encoded in Base64 and embedded directly in the SVG payload. When the redirect executes, the address is appended to the destination URL, creating a personalized phishing link for each target. This level of customization distinguishes the campaign from bulk spray operations and points toward a targeted approach designed to reduce the likelihood that a recipient dismisses the email as generic spam.
How Email Security Bypass Works: One Obsolete MIME Type
The most specific technical detail in Mertens' write-up concerns the MIME type used to declare the script block inside the SVG file. Standard email security tools — gateways, web application firewalls, attachment scanners — commonly pattern-match on text/javascript when scanning for script-bearing files. The attackers in this campaign use a different, functionally equivalent identifier: application/ecmascript.
Browsers treat both identifiers as equivalent and execute scripts labeled with either without distinction. Security tools that look only for text/javascript and application/javascript will not flag the alternative form.
The choice is deliberate. The application/ecmascript type is a legitimate IANA-registered identifier for ECMAScript — the specification that underlies JavaScript. Its use in web content dates back to the early 2000s. But the Internet Engineering Task Force formally obsoleted it in RFC 9239, published in May 2022, which designated text/javascript as the single correct MIME type for JavaScript and classified all alternatives — including application/ecmascript — as historical aliases. Browsers continue to execute scripts labeled with obsolete types because backward compatibility demands it. Security tools that have not updated their detection rules to account for obsolete aliases have a gap that attackers are now actively probing.
Mertens specifically flagged this as an evasion strategy: the attackers chose application/ecmascript not because it is required or convenient, but precisely because some security controls will miss it.
Why the .cfd Domain Completes the Evasion Picture
The redirect destination in the analyzed sample points to a domain using the .cfd top-level domain, which stands for Clothing, Fashion, and Design. Cloudflare's radar data shows .cfd is increasingly favored by phishing operators for two practical reasons: registration costs are low and the extension carries none of the reputation flags that established top-level domains such as .xyz or .top now carry with many email filtering systems. A gateway that blocks .xyz domains categorically will not automatically block .cfd.
The technique illustrates how the current SVG phishing campaign stacks evasions: an attachment format treated as an image, an obsolete MIME type that some tools miss, a payload obfuscated with XOR encryption, and a destination domain on a top-level domain with limited abuse history. Each layer alone might be caught; stacked together, they significantly increase the probability of reaching the inbox.
What Security Teams Should Do to Block SVG Phishing Attachments
The SANS analysis, combined with the broader 2025–2026 research from KnowBe4, Kaspersky, and Cloudforce One, points to three specific configuration changes that blue teams should prioritize.
First, review whether the email gateway blocks or quarantines SVG attachments that contain embedded script elements. Blocking all SVG attachments is a blunter option that eliminates the legitimate-use case for SVG files in email — a use case that is genuinely rare — while ensuring the vector is closed entirely. Organizations with documented business processes requiring SVG attachments by email should add a specific exemption, not assume the existing gateway rules cover the threat.
Second, update detection signatures to flag application/ecmascript alongside text/javascript and application/javascript as a script-type indicator in attachment scans. RFC 9239 deprecated application/ecmascript in 2022, but browsers still execute it, which means attackers can use it indefinitely. Any attachment declaring a script block with any ECMAScript-family MIME type should trigger the same scrutiny.
Third, audit whether Windows browser associations for SVG files allow auto-execution when a file is opened from an email client. In the default Windows configuration, double-clicking an SVG attachment opens it in the default browser, which executes any embedded script immediately. Changing file-handler associations so SVG files open in a text editor by default would break the execution chain before any redirect can occur, at the cost of requiring separate steps to view legitimate SVG graphics.
Mertens notes that the current wave carries conventional credential-harvesting pages as its payload, but the delivery mechanism is not payload-specific. Any browser-executable content could be substituted — information stealers, exploit kits targeting browser vulnerabilities, or drive-by downloads. The technique is the threat to isolate and close; the payload is interchangeable.
Frequently Asked Questions
What is an SVG phishing email and why does it bypass security filters?
An SVG phishing email is an attack that attaches a Scalable Vector Graphics file — a format normally used for web icons and illustrations — to a phishing message. Because SVG files are written in XML and can contain JavaScript, they can silently redirect a victim's browser to a credential-harvesting site the moment the attachment is opened. Most email security gateways scan attachments for known-malicious file types such as Office documents with macros or executable files, but many have not been updated to deeply inspect SVG content for embedded scripts, allowing the attacks to reach inboxes undetected.
How does the MIME-type evasion technique in this SVG campaign work?
The attackers label the JavaScript embedded in the SVG file using the MIME type application/ecmascript rather than the standard text/javascript. Both identifiers instruct browsers to execute the script identically, but many email security tools pattern-match specifically on text/javascript and application/javascript. By substituting the obsolete but still-functional application/ecmascript — deprecated by RFC 9239 in May 2022 — the attackers exploit the gap between what browsers accept and what security scanners flag.
How do I protect my organization against malicious SVG email attachments?
Security teams should configure email gateways to block or quarantine SVG attachments containing embedded script elements, update detection rules to flag application/ecmascript alongside text/javascript and application/javascript, and audit Windows browser associations to prevent SVG files from auto-executing when opened from email. Employee training should also include guidance that SVG attachments from unknown senders deserve the same suspicion as executable files.
How widespread is SVG phishing in 2026?
Malicious SVG attachments increased fifty-fold in 2025 compared to 2024, according to Hoxhunt's H1 2025 threat intelligence research. SVGs now rank as the third most common malicious email attachment type globally. In a single February 2026 campaign, Microsoft tracked delivery of 1.2 million SVG-based phishing messages to more than 53,000 organizations in 23 countries.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
