The Voicemail You Never Left: SVG Phishing Through a DMARC Failure

The subject line read like a missed call notification: "mCaller left Ohr.customersvc - 34s Preview vHC - June 1, 2026 1502762369."

Nothing else. Open the email and the body is blank. Not sparse. Empty. The entire communication is a single attachment: "Voicemail_vRecording_118sec_Jfccpa3adeb54b3b1.svg."

Someone, supposedly from customer service at a hospitality brand, missed your call. They left a voicemail. It is right there, attached. Thirty-seven kilobytes. Tap to listen.

That tap is the whole attack.

Why the Empty Body Was a Feature

Secure email gateways analyze content. They score URLs, parse body text, match known patterns, check sender reputation. An empty body gives them nothing to score. This is not an accident. Attackers who work in SVG-based phishing campaigns have learned that the threat lives in the attachment, and that moving the payload entirely into a file removes the surface area the gateway was designed to inspect.

The SVG format is central to why this works. Scalable Vector Graphics files are technically XML documents. Browsers render them natively, including any HTML and JavaScript embedded inside. A malicious SVG can contain a fully functional credential-harvesting form, a redirect to a phishing domain, or obfuscated script that executes on open. From the outside, the file has a .svg extension and is reported as text/plain by the MIME header, exactly what a sender would use for a simple image. Nothing about the extension or declared content type flags danger.

The phishing community has tracked a clear rise in SVG-based delivery since late 2024. Researchers across threat intelligence firms documented the format moving from occasional novelty to recurring campaign staple through 2025, precisely because most email filters treat SVG as a benign image type rather than an executable format. The Microsoft Digital Defense Report 2024 catalogued the broader shift toward file-based payload delivery as URL scanning improved, and SVG represents the newest iteration of that adaptation.

The Authentication Picture

The message arrived through SparkPost, a commercial email service provider. SparkPost's relay infrastructure (mta-80-125[.]sparkpostmail[.]com, 74[.]208[.]79[.]14) is legitimate and widely used for bulk email. That reputational halo is part of why the email survived as far as it did.

At the Microsoft 365 perimeter, authentication failed cleanly across the board. SPF returned none: the sending IP had no authorization relationship with loewshotels.com. DKIM returned none: the message carried no signature. DMARC returned fail for header.from=loewshotels.com, with a quarantine action. The compauth result was none, reason 451.

Despite those results, the message reached the inbox. The Microsoft antispam header assigned an SCL of -1, the lowest possible spam confidence level, which effectively whitelisted the message past content filters. The Forefront report shows CAT:NONE, meaning no category matched, and SFV:NSPM, not spam. The DMARC quarantine action did not translate into a quarantine outcome.

See Your Risk: Calculate how many threats your SEG is missing

This is the DMARC gap that security teams debate in conference rooms and never fully close. A domain publishes a DMARC policy. A receiving mail system logs the failure. The message lands anyway because enforcement is advisory in a world where legitimate forwarding, ESP relay, and organizational routing regularly break authentication chains. The Verizon DBIR 2026 notes that credentials are involved in 39% of breach paths across the kill chain. The authentication signals exist. Acting on them consistently is the gap.

Behind the Curtain

The sender address, ohr[.]customersvc@loewshotels[.]com, was crafted to look like an internal customer service inbox at a recognizable hotel brand. The From and To fields both listed this address, a self-send pattern that Themis flagged as consistent with Direct Send phishing, where an attacker spoofs an internal-looking address to route a message to real mailboxes.

The subject line's voicemail format was precise: a caller name, a duration ("34s" in the subject, "118sec" in the filename), a date, and a long numeric identifier that mimics a call log entry. Legitimate voicemail-to-email notifications use exactly this structure. The attacker studied the format and reproduced it faithfully enough that a recipient primed to expect a voicemail notification would not pause.

The attachment name itself was not sanitized on extraction. The file was quarantined and the payload reduced to zero bytes during incident handling, a hash mismatch confirming the file was caught and neutralized before analysis could retrieve its contents. What was confirmed: the IRONSCALES system classified the attachment as MALICIOUS with a verdict of malicious, driven by the SVG format's behavioral profile, not a hash match to a known sample.

MITRE ATT&CK maps this to T1566.001 (spearphishing attachment), T1204.002 (user execution: malicious file), and T1656 (impersonation). The attack is textbook: abuse a legitimate file format, impersonate a known brand, use urgency and familiarity to motivate a click.

How Attachment-Level Analysis Caught What Authentication Missed

Themis flagged the message at 90% confidence, citing three factors: the malicious attachment verdict, multiple suspicious patterns in the email structure, and the Direct Send sender fingerprint where an external source used an internal-looking address to send to itself. The incident was automatically resolved as phishing within seconds of delivery.

The platform's advanced malware and URL attack protection layer analyzed the SVG at the attachment level rather than relying on the MIME type declaration or extension alone. That distinction matters: a defender who filters only on extension or MIME type would have seen text/plain and moved on. Behavioral analysis of the file structure identified the format as capable of executing content on open.

The FBI IC3 2024 report documents that phishing remains the top initial access vector by complaint volume, and file-based delivery continues to grow as URL scanning matures. CISA's guidance on recognizing and reporting phishing specifically calls out unexpected file attachments as a primary user-level warning sign, even when the sender appears familiar.

Blocking SVG-as-Executable Before the Click Happens

Three controls directly address this attack class. First, SVG files have almost no legitimate use case in business email. A blanket policy to sandbox or block .svg attachments at the gateway would have stopped this before any detection layer was needed.

Second, DMARC failure must mean something operationally. Publishing a DMARC policy and watching failures appear in reports without acting on patterns is not a defense. DMARC management tools that surface failure patterns and push toward stricter enforcement close the gap between policy intent and delivery reality.

Third, the attack relied on SparkPost's relay reputation being legitimate. The Verizon DBIR 2026 notes that 62% of breaches involve the human element, and voicemail curiosity is purpose-built to exploit that. The IBM Cost of a Data Breach 2024 report puts the average breach at $4.88 million. Stopping it before the click requires reading the full picture: failed authentication, unusual sender pattern, suspicious file format, empty body. Any one signal is ambiguous. Together, they are conclusive.

The NIST definition of phishing centers on deception and manipulation. A voicemail you never left, from a brand you recognize, in a format that looks like an image: the deception is precise. The defense has to match it.