{“lastseen”:”2025-09-25T17:04:47″,”description”:”We’ve written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing.\\n\\nFor readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in XML (eXtensible Markup Language), they can contain HTML and JavaScript code, which cybercriminals can exploit for malicious purposes.\\n\\nAnother advantage for phishers is that, on a Windows computer, SVG files get opened by Microsoft Edge, regardless of what your default browser is. Since most people prefer to use a different browser, such as Chrome, Edge can often be overlooked when it comes to adding protection like ad-blockers and web filters.\\n\\nThe malicious SVG we’ve found uses a rather unusual method to send targets to a phishing site. \\n\\nInside `RECElPT.SVG` we found a script containing a lot of food\/recipe-related names (\\”menuIngredients\\”, \\”bakingRound\\”, \\”saladBowl\\”, etc.), which are all simply creative disguises for obfuscating the code\u2019s malicious intentions.\\n\\nThis is the part of the code where the phishers hid a redirect:\\n\\n\\n\\nUpon close inspection, the illusion of an edible recipe quickly disappears. 141 cups of eggs, anyone?\\n\\nBut picking the code apart, we noticed that the decoder works like this:\\n\\n 1. Search for data-ingredients=\\”\u2026\\” in the given text.\\n 2. Split the string inside the attribute by commas to get a list. E.g., 219cups_flour, 205tbsp_eggs,\u2026\\n 3. For each element, extract the leading numeric value (e.g., 219 from 219cups_flour).\\n 4. Subtract 100 from this value.\\n 5. If the result is an ASCII printable character (ranging from 32\u2013126), then convert it to the character with that number.\\n 6. Join all characters together to form the final decoded string.\\n\\n\\n\\nUsing this method we arrived at `window.location.replace(\\”https:\/\/outuer.devconptytld[.]com.au\/\\”);`\\n\\n`window.location.replace` is a JavaScript method that replaces the current resource with the one at the provided URL. In other words, it redirects the target to that location if they open the SVG file.\\n\\nWhen redirected, the user will see this prompt, which is basically intended to hide the real location of the server behind Cloudflare services, but also provides some sense of legitimacy for the visitor.\\n\\n\\n\\nIt doesn\u2019t matter what the user does here, they will get forwarded again with the code passing the e parameter (the target\u2019s email address) on to the next destination.\\n\\nBut this is where our adventure ended. For us, the next site was an empty one.\\n\\nWe couldn\u2019t determine what conditions had to be met to get to the next stage of the phishing expedition. But it is highly likely it will display a fake login form (almost certainly Microsoft 365- or Outlook-themed), to capture the target’s username and password.\\n\\nMicrosoft flagged a similar campaign which was clearly obfuscated with AI assistance and appeared even more legitimate at first glance.\\n\\nSome remarks we want to share about this campaign:\\n\\n * We found several versions of the SVG file dating back to August 26, 2025.\\n * The attacks are very targeted with the target\u2019s email address embedded in the SVG file.\\n * The phishing domain could be a typosquat for the legitimate devconptyltd.com.au, so it could mean the targets were doing business with Devcon Pty Ltd who owns that domain. This is a tactic we often see in Business Email Compromise (BEC) attacks.\\n * We found several subdomains of devconptytld[.]com.au associated with this campaign. The domain’s TLS certificate dates back to August 24, 2025 and is valid for 3 months.\\n\\n\\n\\n## How to stay safe from SVG phishing attacks\\n\\nSVG files are an uncommon attachment to receive, so it\u2019s good to keep in mind that:\\n\\n * They are not always \u201cjust\u201d image files.\\n * Several phishing and malware campaigns use SVG files, so they deserve the same treatment as any other attachment: don\u2019t open until the trusted sender confirms sending you one.\\n * Always check the address of a website asking for credentials. Or use a password manager, they will not auto-fill your details on a fake website.\\n * Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.\\n * Use an email security solution that can detect and quarantine suspicious attachments.\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2025-09-25T15:32:17″,”modified”:”2025-09-25T15:32:17″,”type”:”malwarebytes”,”title”:”New SVG-based phishing campaign is a recipe for disaster”,”source”:””,”references”:””,”id”:”MALWAREBYTES:9B3BD4366E43E5191B1814B4CBA1B78A”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/09\/new-svg-based-phishing-campaign-is-a-recipe-for-disaster”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-25T17:04:47″,”description”:”We’ve written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-19050","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n