Recent searches
Search options
If you’re not blocking SVG (Scalable Vector Graphic) attachments in email messages you might want to.
I have observed something I haven’t yet seen. Malicious email messages where the attachment the threat actor wants the target to open is a SVG file pretending to be an agreement.
The SVG file when loaded makes a HTTP call to load a remote image, it also contains a transparent layer which links to the malicious website.
Looks to be an attempt at evading detection.
@fellows jep, can confirm. We‘re seeing things Like that also. Just make sure to check your Logs before blocking so you don‘t get aaaangry calls from Marketing.
@fellows We had some of those at the end of last year and also blocked SVG attachments.
@fellows
SVGs supports JavaScript by Default/Standard. Go figure…
@vampirdaddy Yikes!
@fellows is this the svg xss payload?
@rtificial all that’s in the SVG file is a height and width tag, image tag pointing to the lure image, and an a click tag pointing to the malicious website. There was no scripting in the file.
@fellows oh word. Thanks for the additional info. Last month I was on a pentest and using svg files with xss payloads. But yea, you’re right it’s best to block those files or sandbox and sanitize them.
@rtificial I’ve now seen my first SVG file where there’s script inside src=data:application/ecmascript;base64. The decoded base64 is obfuscated further.
@fellows It's not completely new. #bleepingcomputer covered this mechanism in November already.
Send E-Mails with SVG Attachment to Quarantine in your Mailgateway.
@dritsec thanks for passing along the article! I didn’t suspect it was completely new, just the first time I’d seen - hence the original post I made.
@fellows Any idea how to accomplish that with the Thunderbird email client?
@johnhobbs It’s always best to block stuff before it hits the mail client. You could check with your provider to see if they have filtering abilities.
I’m not familiar with Thunderbird, but you might be able to create rules that would run when email is downloaded.
@fellows Thanks. I'll look into that.
@fellows hey there! How does one do this?
@frankietankie this would be something done at the mail security level before it reaches the user’s mailbox.
@fellows At least make SVGs not render but require them to be saved to disk.
@fellows Interesting. Never seen it, but will keep an eye out now.
JFC
As a person who works *in* SVGs, and exchanges then regularly this is an issue.
>
@fellows I've been working with SVGs for a while now, and I do think they are a little *too* powerful in some cases. You have to be vigilant about malicious code inside SVGs.
@fellows In other words, I'm starting to think there's a lot to be said for neo-luddism.
@fellows@cyberplace.social on a more "classic" way, it can also be used for tracking purposes...