Most people have learned to be wary of email attachments. A spreadsheet from a stranger, a zip file you were not expecting — those raise an eyebrow now. But an image? An image feels safe. It is just a picture. That instinct is exactly what attackers are exploiting in a wave of phishing we have been watching, and the file type at the center of it is one most people have never heard of: the SVG.
TL;DR
Attackers are sending phishing as SVG image attachments. Unlike a normal photo, an SVG can carry code, so opening one can quietly load a fake login page right in your browser. The defense is unchanged in spirit: do not open attachments you were not expecting, never type your password into a page you reached from an email, and tell your team that "it is just an image" is no longer a safe assumption.
What an SVG is, and why it is different
Most images — JPGs, PNGs — are just pixels. A grid of colored dots and nothing else. There is no behavior inside them. An SVG is a different animal. It is a "scalable vector graphic," and instead of pixels it is built from instructions written in text, the same family of code that builds web pages. That is what lets a logo stay crisp at any size.
The catch is that because an SVG is really a little document, it can contain scripts — active code that runs when the file is opened in a browser. A picture that can run code is a very different thing from a picture that just sits there. That is the door attackers walked through.
How the attack plays out
The email arrives looking ordinary. Often it poses as a shared document, a voicemail, a fax, or a signature request — something you might plausibly be waiting on. Attached is what appears to be an image file. Because email filters have historically treated images as harmless, the message often sails straight into the inbox.
You open the attachment. Instead of a picture, your browser quietly renders a login page — a near-perfect copy of Microsoft 365, your bank, or some other service you trust. Everything looks right. You type your username and password, and they go straight to the attacker. No alarm, no obvious download, no broken English. Just a convincing page that you opened yourself.
How to spot it and shut it down
The good news is that the human defenses against this are the same ones that stop ordinary phishing — they just need to extend to a file type people did not used to worry about.
Treat an unexpected attachment as suspect no matter what kind of file it claims to be, image included. Be especially wary of an attachment that, when opened, immediately asks you to log in — a real image never needs your password. When in doubt about a document someone "shared," go to the service directly in your browser and sign in there, rather than through anything the email handed you. And if a message creates a sense of urgency — a payment is overdue, an account will be closed, a voicemail is waiting — slow down. Urgency is the oldest lever in the book.
On the technical side, there is more that can be done. Many email systems can be configured to flag or strip SVG attachments, which few legitimate senders use for everyday business. Multi-factor authentication also softens the blow: if someone does hand over a password, a second factor can keep the account from opening. None of that replaces an alert team, but it raises the wall.
The takeaway
The lesson here is not "fear images." It is that the categories we use to decide what is safe are exactly what attackers study and bend. The rule that holds up is simpler than any file-type list: do not enter your password into a page you reached by opening something from your inbox. Reach the service yourself, every time, and most of these tricks fall apart.
If you want help tightening your email filtering or rolling out multi-factor authentication so a single click cannot cost you an account, that is a normal part of our free 30-minute IT review. We work with small teams and ministries around Washington County, and we will tell you plainly what is worth doing.