Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics

Sublime's Attack Spotlight series highlights emerging threats in the email threat landscape by showcasing real-world attack samples and explaining adversary tactics and techniques. One notable threat involves a credential phishing campaign utilizing SVG files, which are often underestimated as mere image files but can embed JavaScript to facilitate attacks. In this campaign, an email mimicking a voicemail notification from a law firm contains an SVG attachment that, when opened, displays a blue checkmark and redirects the user to a phishing site through embedded JavaScript. This site simulates a security process and leads the user to a fake Microsoft login page designed to harvest credentials, which are then verified against Microsoft's authentication service. Sublime's AI-powered detection engine successfully thwarted this attack by identifying signals such as embedded JavaScript in SVGs, fake voicemail notifications, and communications from unknown senders, offering a robust defense against such email-based threats.