Microsoft Threat Intelligence detected and blocked a credential-phishing campaign that used an SVG attachment with AI-like, business-term–based obfuscation to hide a JavaScript payload that redirected users to a phishing landing page. Microsoft Defender for Office 365’s AI-powered protections identified infrastructure, behavioral, and message-context signals to block the campaign. #SVG #SecurityCopilot
Keypoints
- On August 18, attackers used a compromised small business email account to send self-addressed phishing emails with a malicious attachment named “23mb – PDF- 6 pages.svg” aimed at stealing credentials.
- The SVG file used invisible elements and encoded business-related terms in a hidden attribute; embedded JavaScript decoded those terms into malicious functionality (redirects, fingerprinting, session tracking).
- Microsoft Security Copilot assessed the SVG code as likely AI/LLM-generated based on indicators such as verbose naming, modular over-engineered structure, generic comments, formulaic obfuscation, and unnecessary XML/CDATA usage.
- Microsoft Defender for Office 365 blocked the campaign by analyzing attack infrastructure, TTPs, impersonation strategies, and message delivery context—signals largely unaffected by AI-generated payloads.
- Detected IOCs included the domain kmnl.cpfcenters[.]de and the attachment file name “23mb – PDF- 6 Pages.svg”; automated analysis showed redirects to known phishing infrastructure and suspicious session-tracking behavior.
- Recommended mitigations include enabling Safe Links and ZAP in Defender for Office 365, turning on cloud-delivered protection, using phishing-resistant authentication (Entra/Conditional Access), and deploying Defender SmartScreen–capable browsers.
- Microsoft provided hunting queries and Defender XDR/Sentinel guidance (including an ASIM query) to help customers detect related domain and web session indicators.
MITRE Techniques
- [T1566] Phishing – Use of credential phishing emails with an attached malicious SVG file to trick recipients into visiting a phishing landing page. Quote: ‘phishing emails sent from a compromised small business email account… attached SVG file executed upon opening in a browser.’
- [T1204] User Execution – Embedded JavaScript within the SVG executed when the file was opened in a browser to trigger redirects and subsequent credential-harvesting flows. Quote: ‘Embedded JavaScript within the attached SVG file executed upon opening in a browser.’
- [T1222] User Interface Modification (Browser-based) – Use of a fake CAPTCHA and security verification prompt to build trust and delay suspicion before presenting a fake sign-in page. Quote: ‘redirected the user to a webpage that prompted them to complete a CAPTCHA for security verification.’
- [T1027] Obfuscated Files or Information – Obfuscation using invisible SVG elements and encoded business terminology to hide payload functionality and evade analysis. Quote: ‘obfuscation using invisible SVG elements and encoded business terminology.’
- [T1598] Phishing for Information – Creation of a fake sign-in page (likely after CAPTCHA) to harvest credentials and session details. Quote: ‘would have very likely presented a fake sign in page after the CAPTCHA to harvest credentials.’
- [T1078] Valid Accounts (Compromised Account) – Initial access via a compromised small business email account used to send the phishing messages. Quote: ‘phishing emails sent from a compromised small business email account.’
- [T1086] PowerShell/Script (Browser scripting) – Use of embedded JavaScript in SVG to perform multi-stage decoding and malicious actions such as redirects, browser fingerprinting, and session tracking. Quote: ’embedded JavaScript… decoded the sequence, reconstructing the hidden functionality… redirecting a user’s browser… triggering browser fingerprinting, and initiating session tracking.’
Indicators of Compromise
- [Domain] Phishing hosting domain – kmnl.cpfcenters[.]de
- [File name] Malicious attachment name – “23mb – PDF- 6 Pages.svg”
- [URL/Redirect] Malicious landing page infrastructure – redirect to domain kmnl.cpfcenters[.]de (used in phishing flow)
- [Behavioral IOC] Techniques observed – self-addressed email with BCC recipients, embedded JavaScript in SVG, CAPTCHA gate, browser fingerprinting and session tracking (behavioral indicators rather than hash/IP)