Sunday, May 25, 2025
Homecyber securityWeaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

Published on

SIEM as a Service

Follow Us on Google News

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to bypass traditional email security measures and target users of Gmail, Outlook, Dropbox, and other popular platforms.

These attacks, which began gaining momentum in late 2024, have surged since January 2025, demonstrating the adaptability of threat actors in exploiting less scrutinized file formats.

SVG files, unlike standard image formats like JPEG or PNG, are text-based XML files designed to create scalable vector graphics.

- Advertisement - Google News

This format allows for the inclusion of active web content such as JavaScript, HTML, and hyperlinks.

While this functionality is legitimate, cybercriminals are weaponizing it to embed malicious scripts and links that redirect users to phishing pages.

How the Attack Works

The attack typically starts with a phishing email containing an SVG attachment. When unsuspecting recipients open the file, it launches in their default web browser.

The SVG file may display simple graphics but also contains embedded hyperlinks or scripts that lead users to fake login portals mimicking services like Office365, Google Drive, or Dropbox.

These phishing pages often pre-fill the victim’s email address and use CAPTCHA challenges to appear legitimate while bypassing automated security scans.

In some advanced cases, SVG files include JavaScript that automatically redirects users to phishing sites without requiring them to click any links.

SVG Files
A malicious SVG attached to a fake “fax notification” email

Other variations involve Base64-encoded data within the SVG file that unpacks into malware-laden zip archives upon execution.

One notable example involved a Trojan (Troj/AutoIt-DHB) that installed a keystroke logger on victims’ devices.

Social Engineering Tactics

Phishing emails in these campaigns are crafted with convincing subject lines such as “New Voicemail,” “Payment Confirmation,” or “eSignature Required.”

SVG Files
A simplistic SVG that purports to be a voicemail notification

They often impersonate trusted brands like DocuSign and Microsoft SharePoint to lure victims into opening the attachments.

According to the Sophos report, in some cases, the emails are localized to match the recipient’s language and region for added credibility.

To protect against these threats, experts recommend the following measures:

  • Change Default File Associations: Configure systems to open SVG files in text editors like Notepad instead of web browsers.
  • Verify Email Authenticity: Avoid opening attachments from unknown senders or emails with suspicious subject lines.
  • Scrutinize URLs: Check browser address bars for legitimate domains; phishing sites often use unusual extensions like “.ru.”
  • Update Security Software: Ensure antivirus programs and operating systems are up-to-date to detect emerging threats.
  • Raise Awareness: Educate users about identifying phishing attempts and handling unusual file types cautiously.

These weaponized SVG attacks highlight the evolving strategies of cybercriminals in evading detection.

Organizations must adopt proactive measures to mitigate risks while enhancing user awareness to combat this growing threat effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...