A unique phishing tactic has been seen in nature, where empty SVG files are hidden within HTML attachments pretending that they’re DocuSign documents.
It was dubbed “Blank Image” by security researchers from Avanan, an email security company. The attack is used to bypass detection by redirect URLs, according to Avanan security researchers.
Prospective victims are sent phishing emails purporting to contain a DocuSign document. This is known to many of its recipients from work.
It is expected that the victim will review and agree to the “Scanned Remittance Advice.htm” document.
HTML files are , as they are often ignored by email security software and have higher chance of reaching their target’s mailbox.
Clicking on “View Completed document” will take the victim to DocuSign’s official webpage. If they try to open an HTML attachment, however, the “Blank Image” attack activates.
SVG smuggling code
SVG images do not include any shapes or graphics, and so they don’t render anything on screen. The SVG image is a placeholder that contains the malicious code.
Noting that HTML files containing base64-obfuscated codes can be used to contain SVG files within HTML is not a new practice, it’s important to note. This same method was used in December 2022.
The SVG was empty in the DocuSign campaign Avanan’s researcher noticed. While the victim doesn’t see anything on the screen, the URL redirectcode is still running in the background.
This is a novel way to obscure the real intent of the message. This bypasses VirusTotal, and it doesn’t get scanned even by the traditional “Click Time Protection.” – Avanan
Emails with HTML code and.HTM attachments should be treated with care. Administrators should also consider banning them, Avanan suggests.