Base64-encoding an SVG attack within an iframe and hiding it all in an EML attachment

Sublime's Attack Spotlight series sheds light on the evolving email threat landscape by presenting real-world attack samples, such as a credential phishing attack targeting Microsoft 365 users. This particular attack leveraged an EML attachment containing a malicious SVG file that was disguised as a voicemail recording, which when opened, redirected the victim to a fake Microsoft login page. The attack used multiple layers of evasion, including base64 encoding and custom obfuscation, to avoid detection. Sublime's platform introduced new features to counter such threats, including the beta.scan_base64 function, which decodes encoded strings to identify hidden malicious content. The company's AI-powered detection engine flagged the attack as malicious based on signals like EML attachments, SVG files with iframes, and base64 encoding. The detailed analysis and de-obfuscation efforts highlighted the attackers' sophisticated techniques and underscored the importance of protecting login credentials.