AI Hacking - How Hackers Use Artifical Intelligence in Cyberattacks

Read Now
We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.

How to Stop SVG-Based Phishing Attacks with Deep CDR

by Vinh Lam, Senior Technical Program Manager
Share this Post

Attackers increasingly weaponize SVG files with embedded JavaScript and Base64‑encoded payloads to deliver phishing pages and malware while evading traditional detection. Deep CDR™, one of the core technologies that powers MetaDefender Core™, neutralizes this class of attack by removing all active content (scripts, external references, event handlers, etc.) and delivering a clean, standards‑compliant image that preserves functionality while eliminating risk. Normal, trustworthy SVGs (Scalable Vector Graphics) do not need JavaScript, so it is removed by default.

Why SVG

The Perfect Vehicle for Phishing Payloads

SVG is an XML‑based vector image format, not a simple bitmap.

Sample code snippet of an SVG

An SVG file can include:

  • Scripts
  • Event handlers
  • External references

These features are useful for interactive graphics, but attackers exploit them to:

  • Run malicious code
  • Inject malicious XML data
  • Fetch external content
  • Render fake login pages

Attackers also combine SVGs with HTML/JS smuggling by embedding Base64 payloads inside seemingly harmless images and decoding them at runtime. This technique is now formally tracked as MITRE ATT&CK “SVG Smuggling” (T1027.017).

Key takeaway

In normal enterprise content workflows (logos, icons, diagrams), SVGs don’t require JavaScript or active content. If you find <script>, event handlers, or remote references in an inbound SVG, treat them as risky.

What We’re Seeing in the Wild

Email Attachment with Base64-Decoded Phishing

  • Delivery: A routine email carries an .svg attachment that many email gateways treat as an image.
  • Technique: Inside the SVG, an obfuscated <script> reconstructs a phishing page from a Base64 blob and loads it in the browser.

Drive-By Website Using Event Handlers for Redirect

  • Delivery: A compromised or typo-squatted site uses a transparent SVG overlay with clickable regions.
  • Technique: Event attributes (onload, onclick) trigger redirects using Base64 decoding.

Why Detection Struggles Here

Traditional approaches such as signatures, pattern rules, and static code inspection fail when attackers:

  • Obfuscate with Base64, XOR, junk text padding, or polymorphic templates.
  • Defer execution until runtime (e.g., onload), making static analysis unreliable.
  • Hide logic behind legitimate SVG features like event handlers and external references.

Interesting fact

SVG is used by 92% of the top 1000 websites for icons and graphics, according to HTTP Archive data.

“If It’s Active, It’s Risky”

Deep CDR for SVG

Deep CDR, one of the core technologies that powers MetaDefender Core, doesn’t try to guess what is malicious. It assumes any executable or active content in untrusted files is risky and removes or sanitizes it.

For SVGs, that means:

  • Remove JavaScript: Strips out any <script> elements and inline scripts to prevent code execution.
  • Remove CDATA: Eliminates hidden code inside CDATA sections that could embed harmful logic.
  • Remove Injection: Blocks injected content that could execute malicious programs.
  • Process Image: Recursively sanitizes embedded images and removes external images.
  • Normalize & Rebuild: Creates a standards-compliant SVG with only safe visual elements.
  • Optionally Rasterize: Converts SVG to PNG or PDF for workflows that don’t require vector interactivity.

This approach aligns with security guidance: sanitize or sandbox SVGs (or rasterize them) to prevent code execution.

Top Use Cases with Deep CDR

Email Gateways

Sanitize inbound attachments and linked files (URLs resolved via download) before delivery. SVGs converted to clean SVGs prevent credential harvesters from rendering and downloaders from firing.

Collaboration Platforms

Apply Deep CDR to files shared through tools like Teams, Slack, or SharePoint. Sanitizing SVGs here ensures that no hidden login screens or malicious scripts can trick users during everyday collaboration.

Web Upload Portals

Enforce sanitization on all files uploaded to your websites, CMS, or digital asset management systems. This prevents attackers from hiding harmful code inside what looks like a simple logo or graphic.

File Transfer & MFT (Managed File Transfer)

Integrate Deep CDR into file transfer workflows so every file, especially those from partners or vendors, is safe to use before entering your network. This reduces supply chain risks from compromised assets.

Business Impact

Ignoring SVG sanitization can lead to:

  • Credential Theft: Fake login pages harvest user credentials.
  • Malware Infections: Redirect chains deliver ransomware or stealers.
  • Compliance Violations: Breaches involving sensitive data can trigger fines and reputational damage.

Best Practices to Prevent SVG-based Attack

  • Default stance: No JavaScript in SVG from untrusted sources.
  • Sanitize or rasterize: Apply Deep CDR to all inbound SVG files.
  • Combined with CSP: Use as defense-in-depth, not as primary control.
  • Audit and log: Track every sanitization action for compliance and forensics.

Closing Thoughts

SVG-based phishing is not theoretical, it’s happening now. Detection-based tools can’t keep up with evolving obfuscation techniques. Deep CDR offers a deterministic, zero-trust approach, removing the risk before it reaches your users.

Stay Up-to-Date With OPSWAT!

Sign up today to receive the latest company updates, stories, event info, and more.