New 'Blank Image' attack hides phishing scripts in SVG files

silversurfer · Jan 20, 2023

An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents.

Security researchers at email security provider Avanan named it "Blank Image." They explain that the attack allows phishing actors to evade detection of redirect URLs.

It’s worth noting that the use of SVG files inside HTML containing base64-obfuscated code isn’t new. The same technique was observed in malspam delivering Qbot malware in December 2022.

Unlike raster images, like JPG and PNG, SVGs are vector images based on XML and can contain HTML script tags. When an HTML document displays an SVG image through an <embed> or <iframe> tag, the image is displayed and the JavaScript inside it executes.

In the DocuSign-themed campaign that Avanan researcher spotted, the SVG is empty. The victim sees nothing on their screen but the URL redirect code still runs in the background.

“This is an innovative way to obfuscate the true intent of the message. It bypasses VirusTotal and doesn’t even get scanned by traditional “Click-Time Protection.” By layering obfuscation upon obfuscation, most security services are helpless against these attacks.” - Avanan

Users should treat emails with HTML code in them and .HTM attachments with caution. Avanan also suggests that administrators should consider blocking them them.