.svg File Scam - Protect Yourself

How the Scam Works

• Initial Email: You receive an email, often posing as an invoice, voicemail ("voicemail_vrecording.svg"), or document review ("document_review_2025.svg"), often containing an .svg attachment.
• Disguised Files: Attackers may use double extensions, such as invoice.pdf.svg, to make you think it is a harmless document.
• Automatic Execution: When clicked, the SVG file opens in your web browser (like Chrome or Edge) instead of an image viewer.
• Redirect to Phishing Page: The script inside the SVG runs, automatically directing your browser to a fake login page (e.g., a fake Microsoft 365 or Google Workspace portal) designed to steal your username and password.
• Malware Delivery: In some cases, the SVG triggers a download of a ZIP archive containing malicious software, such as Agent Tesla keylogger or XWorm RAT.

Why Attackers Use SVG Files

• Filter Evasion: Many security systems treat SVG files as harmless images, allowing them to pass through defenses that would otherwise block malicious PDFs or Word documents.
• No Macros Needed: These attacks do not rely on Office macros to run; they run natively in your browser.
• High Trust: Users assume that image files are harmless, reducing suspicion.

Protect Yourself

• Don't Open Unexpected SVGs: If you are not expecting a vector graphic file, especially from an unknown sender, delete the email immediately.
• Check the URL: Before entering credentials on any website opened from an attachment, check the address bar. Malicious pages often use strange domains (e.g., .ru, or fake company names).
• Use Proper Viewing Tools: Configure your computer to open SVG files with a standard image viewer (like Paint or Photos) rather than a web browser.
• Report Suspicious Emails: Use your company's security tools to report phishing attempts.

If you accidentally opened a malicious SVG file and entered your credentials, immediately change your password, run a virus scan, and report the incident to your IT department.