Thursday, May 8, 2025
Homecyber securityWeaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

Published on

SIEM as a Service

Follow Us on Google News

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to bypass traditional email security measures and target users of Gmail, Outlook, Dropbox, and other popular platforms.

These attacks, which began gaining momentum in late 2024, have surged since January 2025, demonstrating the adaptability of threat actors in exploiting less scrutinized file formats.

SVG files, unlike standard image formats like JPEG or PNG, are text-based XML files designed to create scalable vector graphics.

- Advertisement - Google News

This format allows for the inclusion of active web content such as JavaScript, HTML, and hyperlinks.

While this functionality is legitimate, cybercriminals are weaponizing it to embed malicious scripts and links that redirect users to phishing pages.

How the Attack Works

The attack typically starts with a phishing email containing an SVG attachment. When unsuspecting recipients open the file, it launches in their default web browser.

The SVG file may display simple graphics but also contains embedded hyperlinks or scripts that lead users to fake login portals mimicking services like Office365, Google Drive, or Dropbox.

These phishing pages often pre-fill the victim’s email address and use CAPTCHA challenges to appear legitimate while bypassing automated security scans.

In some advanced cases, SVG files include JavaScript that automatically redirects users to phishing sites without requiring them to click any links.

SVG Files
A malicious SVG attached to a fake “fax notification” email

Other variations involve Base64-encoded data within the SVG file that unpacks into malware-laden zip archives upon execution.

One notable example involved a Trojan (Troj/AutoIt-DHB) that installed a keystroke logger on victims’ devices.

Social Engineering Tactics

Phishing emails in these campaigns are crafted with convincing subject lines such as “New Voicemail,” “Payment Confirmation,” or “eSignature Required.”

SVG Files
A simplistic SVG that purports to be a voicemail notification

They often impersonate trusted brands like DocuSign and Microsoft SharePoint to lure victims into opening the attachments.

According to the Sophos report, in some cases, the emails are localized to match the recipient’s language and region for added credibility.

To protect against these threats, experts recommend the following measures:

  • Change Default File Associations: Configure systems to open SVG files in text editors like Notepad instead of web browsers.
  • Verify Email Authenticity: Avoid opening attachments from unknown senders or emails with suspicious subject lines.
  • Scrutinize URLs: Check browser address bars for legitimate domains; phishing sites often use unusual extensions like “.ru.”
  • Update Security Software: Ensure antivirus programs and operating systems are up-to-date to detect emerging threats.
  • Raise Awareness: Educate users about identifying phishing attempts and handling unusual file types cautiously.

These weaponized SVG attacks highlight the evolving strategies of cybercriminals in evading detection.

Organizations must adopt proactive measures to mitigate risks while enhancing user awareness to combat this growing threat effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Microsoft Bookings Vulnerability Allows Unauthorized Changes to Meeting Details

Security researchers have uncovered a significant vulnerability in Microsoft Bookings, the scheduling tool integrated...

Nmap 7.96 Released with Enhanced Scanning Capabilities and Updated Libraries

The popular network mapping and security auditing tool Nmap has released version 7.96, featuring...

Cisco IOS XE Vulnerability Allows Attackers to Gain Elevated Privileges

Cisco has issued an urgent security advisory (ID: cisco-sa-iosxe-privesc-su7scvdp) following the discovery of multiple...

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Microsoft Bookings Vulnerability Allows Unauthorized Changes to Meeting Details

Security researchers have uncovered a significant vulnerability in Microsoft Bookings, the scheduling tool integrated...

Nmap 7.96 Released with Enhanced Scanning Capabilities and Updated Libraries

The popular network mapping and security auditing tool Nmap has released version 7.96, featuring...

Cisco IOS XE Vulnerability Allows Attackers to Gain Elevated Privileges

Cisco has issued an urgent security advisory (ID: cisco-sa-iosxe-privesc-su7scvdp) following the discovery of multiple...