Phishing scripts hidden in SVG files by new ‘Blank image’ attack

A unique phishing tactic has been seen in nature, where empty SVG files are hidden within HTML attachments pretending that they’re DocuSign documents.

It was dubbed “Blank Image” by security researchers from Avanan, an email security company. The attack is used to bypass detection by redirect URLs, according to Avanan security researchers.

Phishing campaign

Prospective victims are sent phishing emails purporting to contain a DocuSign document. This is known to many of its recipients from work.

It is expected that the victim will review and agree to the “Scanned Remittance Advice.htm” document.

HTML files are , as they are often ignored by email security software and have higher chance of reaching their target’s mailbox.

Clicking on “View Completed document” will take the victim to DocuSign’s official webpage. If they try to open an HTML attachment, however, the “Blank Image” attack activates.

SVG smuggling code

This HTML file includes an SVG image that has been encoded in Base64 with embedded JavaScript codes. It redirects victims to malicious URLs.

SVG images do not include any shapes or graphics, and so they don’t render anything on screen. The SVG image is a placeholder that contains the malicious code.

Noting that HTML files containing base64-obfuscated codes can be used to contain SVG files within HTML is not a new practice, it’s important to note. This same method was used in December 2022.

SVGs, unlike raster images like JPG or PNG, are vector images based upon XML. They can also contain HTML script tags. An HTML document can display an SVG image by using an embed> and iframe> tags. The JavaScript within the image will execute when the HTML document has it.

The SVG was empty in the DocuSign campaign Avanan’s researcher noticed. While the victim doesn’t see anything on the screen, the URL redirectcode is still running in the background.

This is a novel way to obscure the real intent of the message. This bypasses VirusTotal, and it doesn’t get scanned even by the traditional “Click Time Protection.” – Avanan

Emails with HTML code and.HTM attachments should be treated with care. Administrators should also consider banning them, Avanan suggests.