On June 2, 2026, SANS Internet Storm Center handler Xavier Mertens published an analysis of a phishing wave that had been landing in his inbox for several consecutive days. The attachment on each message was an SVG file – a Scalable Vector Graphics image. Each email passed SPF, DKIM, and DMARC checks cleanly. The attachment opened in a browser without any security warning. The malicious payload executed the moment it was clicked.
That sequence is the core problem. The emails were authenticated correctly. The sender was verified. DMARC had nothing to reject. The malicious code was inside the image.
What SVG Files Are and Why They Become Weapons
SVG is an XML-based image format natively supported by every modern browser and operating system. Unlike raster formats such as PNG or JPEG, SVG files describe graphics using markup, which means they can legitimately contain embedded JavaScript.
Web developers use JavaScript inside SVG files to create interactive animations, responsive icons, and data visualizations. The format is widely trusted by browsers, operating systems, and email clients precisely because the overwhelming majority of SVG files in the world are exactly what they appear to be: images.
Attackers recognized that this trust could be exploited. An SVG file containing embedded JavaScript is opened by the browser the moment a user double-clicks it. No special software, no elevated permissions, no warning dialog. The script runs immediately and redirects the browser to a credential-harvesting page tailored specifically to that recipient’s email address.
The Scale of the Surge
The numbers are significant. Malicious SVG attachments increased fifty-fold in 2025 compared to 2024. Research from KnowBe4 documented a 245 percent increase in SVG files used to obfuscate phishing payloads over the same period. SVG files now rank as the third most common malicious email attachment type globally, behind only PDFs and HTML files.
In a single SVG-based phishing campaign tracked in February 2026, Microsoft recorded delivery of 1.2 million messages to more than 53,000 organizations across 23 countries. That one campaign reached a significant fraction of global enterprise email infrastructure.
Scale is enabled by automation. Attackers generate unique SVG variants for each email: the filename changes, the subject line changes, and the encoded payload changes with every message. This polymorphic behavior makes hash-based detection ineffective. Each message looks different to security tools even though the underlying attack structure is identical.
Why Email Gateways Miss It
The current SVG phishing campaigns exploit several layers of evasion simultaneously.
SVG files are treated as images by most email security gateways. Attachment scanning policies that block executables, scripts, and archives typically leave image files alone. Security teams tuned those policies based on historical threat patterns, and until 2024, SVG files rarely appeared in phishing campaigns in any meaningful volume.
The malicious payload inside the SVG is obfuscated. The June 2026 campaign documented by SANS used XOR encryption on the JavaScript payload combined with an obsolete ECMAScript MIME type declaration that some scanning tools no longer inspect. Neither evasion technique is new in isolation. Stacked together with a trusted image format, they create a detection gap that most gateway configurations do not currently close.
The phishing destination is typically hosted on a recently registered domain with limited abuse history. Reputation-based URL filtering has nothing to flag because the domain has not appeared in threat feeds long enough to be listed.
The Authentication Paradox
This is where the SVG phishing wave intersects with DMARC in a way that matters for every administrator managing email authentication.
DMARC, SPF, and DKIM verify sender identity. They answer a specific question: does this email actually come from the domain it claims to come from? When a phishing email passes full authentication, it means the mail came from a legitimate sending source – either an authorized mail server or, in many cases, a compromised user account.
SVG phishing frequently originates from compromised accounts at legitimate organizations. An attacker gains access to a real mailbox and sends SVG-laced messages from there. Those messages carry the domain owner’s valid DKIM signature. They originate from SPF-authorized infrastructure. They align for DMARC. The authentication verdict is Pass across all three protocols.
A receiving organization’s DMARC p=reject policy does nothing in this scenario because the mail is not spoofed. It comes from exactly who it claims to come from: a real person at a real company whose account has been taken over.
This pattern is consistent with how post-authentication threats evolve. As organizations enforce DMARC and reduce volumes of spoofed mail, attackers shift to techniques that operate within the authentication layer rather than against it. SVG payloads delivered through authenticated mail are a specific, measurable instance of that shift.
What to Do
DMARC enforcement remains essential. It eliminates spoofed mail that would otherwise carry these payloads at far greater scale. But addressing SVG phishing requires action at the attachment filtering layer in addition to the authentication layer.
Strip or sandbox SVG attachments at the gateway. Most organizations have no legitimate business reason to receive SVG files as email attachments. Adding SVG to the blocked or sandboxed attachment types at the gateway level closes the delivery path for this technique. If your environment requires SVG files for internal workflows, consider routing those through a file-sharing platform rather than email.
Expand sandboxing beyond executables. Legacy gateway configurations treat only files with executable extensions as dangerous. The SVG wave demonstrates that image files can now carry execution-capable payloads. Sandboxing should cover any file type that a browser or operating system will open natively without a user prompt.
Monitor DMARC aggregate reports for unexpected sending sources. When user accounts at your domain are compromised and used to send phishing mail, DMARC aggregate reports from receiving organizations will show authentication passes from unexpected IP addresses. Early detection of a compromised account limits the damage before it has sent thousands of SVG payloads outward.
Enforce DMARC at p=reject. DMARC does not filter content, but it does eliminate spoofed mail entirely. Organizations with no DMARC policy or a p=none policy are more attractive targets for attackers seeking domains to spoof at scale. Enforcing p=reject removes that option and pushes attackers toward the costlier route of actually compromising real accounts.
Update user training on attachment types. Most users treat image files as low-risk. That assumption needs updating. SVG files from external senders are not routine business attachments and should be treated with the same suspicion as executable files.
Excello Mail gives you continuous DMARC aggregate report visibility, authentication alignment monitoring across all your sending sources, and sending infrastructure alerts that flag unexpected IP addresses before a compromised account becomes a phishing launchpad. Sign up for free to Excello Mail and close the visibility gaps that SVG phishing campaigns exploit.