XAVIER Mertens reports a recent surge in phishing emails that utilize SVG files to deliver malicious content. These SVG files, while simplistic and lacking graphical elements, contain JavaScript designed to redirect victims to phishing sites. The payload is obscured through Base64 encoding and XOR operations, leveraging a cheap TLD ('.cfd') commonly abused in phishing campaigns. Mertens notes that SVG files are handled by default on Windows browsers, providing an avenue for such attacks.
The email alerts a targeted address which, combined with an unusual MIME type declaration ('application/ecmascript'), may try to evade common security filters. This method exemplifies a new wave of phishing threats.