Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to bypass traditional email security measures and target users of Gmail, Outlook, Dropbox, and other popular platforms.

These attacks, which began gaining momentum in late 2024, have surged since January 2025, demonstrating the adaptability of threat actors in exploiting less scrutinized file formats.

SVG files, unlike standard image formats like JPEG or PNG, are text-based XML files designed to create scalable vector graphics.

This format allows for the inclusion of active web content such as JavaScript, HTML, and hyperlinks.

While this functionality is legitimate, cybercriminals are weaponizing it to embed malicious scripts and links that redirect users to phishing pages.

How the Attack Works

The attack typically starts with a phishing email containing an SVG attachment. When unsuspecting recipients open the file, it launches in their default web browser.

The SVG file may display simple graphics but also contains embedded hyperlinks or scripts that lead users to fake login portals mimicking services like Office365, Google Drive, or Dropbox.

These phishing pages often pre-fill the victim’s email address and use CAPTCHA challenges to appear legitimate while bypassing automated security scans.

In some advanced cases, SVG files include JavaScript that automatically redirects users to phishing sites without requiring them to click any links.

Other variations involve Base64-encoded data within the SVG file that unpacks into malware-laden zip archives upon execution.

One notable example involved a Trojan (Troj/AutoIt-DHB) that installed a keystroke logger on victims’ devices.

Social Engineering Tactics

Phishing emails in these campaigns are crafted with convincing subject lines such as “New Voicemail,” “Payment Confirmation,” or “eSignature Required.”

They often impersonate trusted brands like DocuSign and Microsoft SharePoint to lure victims into opening the attachments.

According to the Sophos report, in some cases, the emails are localized to match the recipient’s language and region for added credibility.

To protect against these threats, experts recommend the following measures:

• Change Default File Associations: Configure systems to open SVG files in text editors like Notepad instead of web browsers.
• Verify Email Authenticity: Avoid opening attachments from unknown senders or emails with suspicious subject lines.
• Scrutinize URLs: Check browser address bars for legitimate domains; phishing sites often use unusual extensions like “.ru.”
• Update Security Software: Ensure antivirus programs and operating systems are up-to-date to detect emerging threats.
• Raise Awareness: Educate users about identifying phishing attempts and handling unusual file types cautiously.

These weaponized SVG attacks highlight the evolving strategies of cybercriminals in evading detection.

Organizations must adopt proactive measures to mitigate risks while enhancing user awareness to combat this growing threat effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free