If you’re not blocking SVG (Scalable Vector Graphic) attachments in email messages you might want to.
I have observed something I haven’t yet seen. Malicious email messages where the attachment the threat actor wants the target to open is a to SVG file pretending to be an agreement.
The SVG file when loaded makes a HTTP call to load a remote image, it also contains a transparent layer which links to the malicious website.
Looks to be an attempt at evading detection.
#ThreatIntel
Fellows /
npub1x6…0qtcd
2025-01-21 19:14:28
Author Public Key
npub1x6rdj7gu3magc9j29a042njygsjx9hg3husmk45sjf9n7rhx85fqs0qtcdPublished at
2025-01-21 19:14:28Event JSON
{
"id": "474856709680fd8f010beb27b94cc61f9eb8a92e5ff80e825d60b02e64f7ed67",
"pubkey": "3686d9791c8efa8c164a2f5f554e44442462dd11bf21bb5690924b3f0ee63d12",
"created_at": 1737486868,
"kind": 1,
"tags": [
[
"t",
"threatintel"
],
[
"proxy",
"https://cyberplace.social/@fellows/113867939392912124",
"web"
],
[
"proxy",
"https://cyberplace.social/users/fellows/statuses/113867939392912124",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://cyberplace.social/users/fellows/statuses/113867939392912124",
"pink.momostr"
],
[
"-"
]
],
"content": "If you’re not blocking SVG (Scalable Vector Graphic) attachments in email messages you might want to. \n\nI have observed something I haven’t yet seen. Malicious email messages where the attachment the threat actor wants the target to open is a to SVG file pretending to be an agreement. \n\nThe SVG file when loaded makes a HTTP call to load a remote image, it also contains a transparent layer which links to the malicious website. \n\nLooks to be an attempt at evading detection. \n\n#ThreatIntel",
"sig": "df93239417c907bfc3928ab7213f91b6828748dbae4847b05f26023351a306fb40a4811f3e50a33ac374afbeb31b629ae53ed0174296b1f93f6020aa19c41493"
}