Threat Research

Attackers Use SVG Images to Steal Credentials

Securonix
Attackers Use SVG Images to Steal Credentials
EXTRACT IOC
Cybercriminals have begun using SVG files containing malicious JavaScript in phishing emails to bypass security filters and steal Microsoft 365 credentials. The attack redirects victims to a fake login page via a phishing URL embedded in the SVG file, potentially compromising corporate networks. #SVGPhishing #Microsoft365 #MutationObserver

Keypoints

  • Phishers are leveraging SVG files, which can contain executable JavaScript, as a novel vector in phishing campaigns.
  • The malicious SVG uses JavaScript that detects DOM mutations to execute encoded payloads.
  • The payload decodes and redirects victims to a phishing URL that includes the victim’s email address encoded in base64.
  • The phishing URL directs users through a Cloudflare CAPTCHA to a fake Microsoft login screen pre-filled with their email.
  • Successful credential theft can lead to infiltration of corporate networks and further attacks, including data theft and ransomware.
  • Email security tools have started detecting a rise in SVG-based phishing attacks, emphasizing the evolving threat landscape.
  • Recommended defenses include advanced email security solutions, employee training, cautious handling of unexpected attachments, and endpoint protection.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – The attack uses SVG files with embedded JavaScript to trick users into opening malicious attachments. (‘Phishers are constantly looking for new types of email attachment that allow them to sneak malicious messages or code past spam filters.’)
  • [T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript code within the SVG executes upon DOM mutation. (‘JavaScript code can be executed when the file is opened, or by “DOM mutation”, such as a change to the page’s structure. This code watches for DOM mutations using the MutationObserver object.’)
  • [T1036.004] Masquerading: Match Legitimate Name or Location – The phishing email appears to come from a valid company email address. (‘An employee at a logistics company recently received an email, seemingly from an address at their company.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – The malicious JavaScript redirects victims to a phishing website via HTTP. (‘The decoding version of n contains code to load a web page—window.location.href—with the address of the page encoded in base64.’)

Indicators of Compromise

  • [Domain] Phishing domains used in campaign – cclaccmg[.]es and its subdomains involved in redirecting victims to phishing sites.
  • [File Type] Malicious attachment – SVG files containing JavaScript used as email attachments in phishing emails.

Read more: https://www.threatdown.com/blog/criminals-smuggle-phishing-code-in-svg-images/

Views: 40

Tags: PASSWORD, EMAIL, PAYLOAD, SPAM, PHISHING, CREDENTIAL