T1027.017 SVG Smuggling
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.2 SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include <script> tags that enable adversaries to include malicious JavaScript payloads. However, SVGs may appear less suspicious to users than other types of executable files, as they are often treated as image files.
SVG smuggling can take a number of forms. For example, threat actors may include content that:
- Assembles malicious payloads1
- Downloads malicious payloads4
- Redirects users to malicious websites3
- Displays interactive content to users, such as fake login forms and download buttons.3
SVG Smuggling may be used in conjunction with HTML Smuggling where an SVG with a malicious payload is included inside an HTML file.1 SVGs may also be included in other types of documents, such as PDFs.
| Item | Value |
|---|---|
| ID | T1027.017 |
| Sub-techniques | T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011, T1027.012, T1027.013, T1027.014, T1027.015, T1027.016, T1027.017 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 25 March 2025 |
| Last Modified | 15 April 2025 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1048 | Application Isolation and Sandboxing | Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. |
References
-
Adam Katz and Jaeson Schultz. (2022, December 13). HTML smugglers turn to SVG images. Retrieved March 25, 2025. ↩↩
-
Bernard Bautista and Kevin Adriano. (2025, April 10). Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks. Retrieved April 14, 2025. ↩
-
Lawrence Abrams. (2024, November 17). Phishing emails increasingly use SVG attachments to evade detection. Retrieved March 25, 2025. ↩↩
-
Max Gannon. (2024, March 13). SVG Files Abused in Emerging Campaigns. Retrieved March 25, 2025. ↩