Malware and phishing attacks using the popular and widely used SVG graphics and image files have been on a sharp rise since January 2025, according to Sophos X-Ops observations.

In a new report from Sophos X-Ops, the security experts report a sharp increase in malware and phishing attacks carried out using SVG files. The cybercriminals are increasingly using the widespread SVG graphics format for their own purposes, and are trying to circumvent the automatic detection of phishing and anti-spam solutions.

The malicious machinations involving the SVG image format have been under observation since 2024. The scalable SVG vector graphics file format (Scalable Vector Graphics) is the specification recommended by the World Wide Web Consortium (W3C) for describing two-dimensional vector graphics and has been in use since 2001. All common browsers support SVG and well over half of all websites worldwide use SVG graphics.

The general advantages of SVG are the reason why cybercriminals are also increasingly relying on this format for their illegal activities. On the one hand, the widespread use of SVG graphics makes them appear harmless to users, even in phishing e-mails. On the other hand, cybercriminals take advantage of the fact that SVG formats, compared to other, purely binary image formats such as JPG or TIF, also have some XML code in their package. This makes it possible for attackers to easily embed their code and transport it undetected. When the recipient or user opens the graphic files – which is often done automatically – their malicious actions are triggered unnoticed in the background.

“We know that cybercriminals are using the SVG file format for their attacks and we have prepared our anti-spam and anti-phishing solutions for this attack variant. What is insidious about this attack method is that the user no longer has any clues to help them decide whether something is phishing or not. When malware is embedded in the XML code, everything happens in the background. The important security component that a responsible employee represents is thus largely eliminated. As a result, technical detection methods, including AI, must be trained all the more to recognize and defend against unusual behavior on workstations and in the network,” explains Michael Veit, a cybersecurity expert at Sophos.

Sophos X-Ops reports that the attacks using the SVG file format are becoming increasingly sophisticated. What’s more, cybercriminals have refined their methods to appear even more convincing. Now, the security specialists have also found localized phishing pages in this context, tailored to the local languages of their targets.

The latest findings on the malicious use of SVG file formats for phishing attacks are described in detail by the Sophos X-Ops team here: https://news.sophos.com/en-us/2025/02/05/svg-phishing/