TL;DR A voicemail notification carried an SVG attachment that most scanners read as a harmless image. Inside the file was a script element positioned under a full-window invisible overlay, a rendering trick that turns a vector graphic into an active payload. The message failed SPF, DKIM, and DMARC, yet a filter allow-list skipped inspection and delivered it to a VIP inbox. Themis flagged the attachment as malicious on behavioral and community signals and quarantined it. Treat SVG as executable content, strip it inbound where it is not needed, and enforce DMARC so a failing verdict actually blocks delivery.
Severity: High Phishing Image Based Attack Attachment Evasion MITRE: T1566.001 MITRE: T1027.006

The attachment looked like a voicemail. A short notification, a duration, a call-back number in the subject line, the kind of automated message that lands in an executive inbox a dozen times a week and gets a reflexive click. The file attached to it was a Scalable Vector Graphics image. Or so the scanners decided.

It was not an image in any meaningful sense. It was a script, hidden inside markup, positioned under a full-window layer set to zero opacity so nothing would ever appear on screen. The graphic was the disguise. The code underneath it was the point.

And here is the part that should bother every security team: the message failed SPF, failed DKIM, and failed DMARC. Every authentication check that exists said this email was not who it claimed to be. It reached a senior executive's inbox anyway.

Why an SVG Is a Program, Not a Picture

Most file formats that carry images (PNG, JPEG, GIF) are raster data. Pixels. There is nothing to execute. Scanners learned to treat image attachments as low-risk because, for those formats, that assumption mostly holds.

SVG breaks the assumption. It is not pixels. It is XML markup, a document format that describes shapes with text and, critically, supports embedded scripts, styles, and interactive elements. A rendering engine that supports scripting (a browser, and some mail client preview panes) will parse that markup and run the code inside it. The .svg extension says picture. The contents say web page.

That gap is the entire attack. In this case, the structured incident record showed the attachment carried a single script element inside otherwise ordinary vector markup. A scanner classifying by extension or MIME type sees an image and moves on. A scanner that actually parses the file sees active content it was never asked to inspect.

The Invisible Layer Doing the Work

The clever part was not the script. It was where the attacker put it.

The file included a styled container set to cover the full render window and stay completely hidden: position:fixed, top:0, left:0, width:100%, height:100%, opacity:0, pointer-events:none. Read that style block and the intent is obvious. Stretch an element across the entire viewport, make it invisible, and let interaction pass through or be captured depending on the payload's needs.

A human opening the file sees a blank or unremarkable graphic. Nothing looks wrong because nothing is meant to be seen. The overlay is a stagehand, not an actor. It exists so the embedded script can operate over the whole surface without ever drawing a pixel a user would question. This is the same family of trick as HTML smuggling, where the malicious logic is assembled and executed at render time rather than shipped as an obvious payload, which is why MITRE tracks it under T1027.006, HTML Smuggling.

There was one more tell. The incident metadata listed the SVG at roughly 2,637 bytes, but the extracted file measured zero bytes on disk. That mismatch is either a sign of deliberate obfuscation or an artifact designed to frustrate deeper inspection. Either way, a file that resists being read cleanly is a file worth treating as hostile.

Authentication Failed and It Landed Anyway

The sender address used a lookalike domain built from the target organization's own brand, reusing the exact same local part as a real internal mailbox. Same username, brand-adjacent domain. To a busy reader, the From line looked internal.

The headers told a different story. The message came in through a third-party mail service (mta-80-125[.]sparkpostmail[.]com, IP 74[.]208[.]24[.]40) with an empty Return-Path. Authentication results were unambiguous: spf=none, dkim=none, dmarc=fail action=quarantine, compauth=fail. Nothing about this message authenticated.

So why did it reach the inbox? Because a filter allow-list overrode the verdict. The message carried a spam confidence level of -1 and a filtering-skipped status, meaning the mail platform decided to skip inspection based on a trusted-sender assumption, even as DMARC returned a quarantine action. The authentication layer did its job and was ignored. This is the recurring lesson of these teardowns: a DMARC policy only protects you if a failing result actually stops the message. If your enforcement is set to monitor, or an allow-list silently outranks it, the verdict is advisory at best. Tightening that loop is exactly what DMARC management and monitoring is for.

What caught it was not authentication and not reputation. Themis, the IRONSCALES agentic AI analyst, scored the attachment as malicious on the combination of a hidden script inside an image-format file, an unauthenticated lookalike sender, a VIP recipient, and community reputation signals matching prior reports. The message was quarantined and the incident auto-resolved as phishing at 86% confidence.

See Your Risk: Calculate how many threats your SEG is missing

Mapping the Attack

The delivery mechanism was a spearphishing attachment (T1566.001), and the evasion was render-time obfuscation (T1027.006). Both matter here, because the attachment cleared the gateway precisely by not looking like a threat until it rendered.

Type Indicator Context
Attachment Voicemail_vRecording_118sec_[token][.]svg SVG carrying an embedded script element, verdict malicious
Style artifact position:fixed; opacity:0; pointer-events:none Full-window invisible overlay hiding the active layer
Relay mta-80-125[.]sparkpostmail[.]com Third-party ESP used to deliver the unauthenticated message
IP 74[.]208[.]24[.]40 Sending host, SPF none
Header Return-Path: <> Empty return path, no bounce accountability
Auth spf=none; dkim=none; dmarc=fail Full authentication failure, delivered anyway

The voicemail theme was the social engineering, and it was well chosen. Callback and voicemail lures now make up a measurable slice of what reaches inboxes. The 2026 Verizon Data Breach Investigations Report puts phishing at 16% of breach initial-access vectors, and its gateway telemetry breaks the inbound mix into roughly 80% plain phishing, 10% malware-laden messages, and 5% callback-style lures. A voicemail notification with an attachment sits right at the seam between those categories.

Closing the SVG Blind Spot

The fix is not exotic. It is a set of assumptions worth retiring.

  • Treat SVG as active content, not an image. Inspect it the way you inspect HTML. If your gateway classifies SVG by MIME type and skips it, that is a policy gap, not a detection gap.
  • Strip or block inbound SVG where users do not need it. Very few employees receive legitimate SVG attachments by email. The format's business value inbound is close to zero, and its abuse value is rising fast. This is the kind of policy that advanced malware and URL protection should enforce by default.
  • Make DMARC enforcement mean something. A quarantine verdict that an allow-list can silently override is not enforcement. Audit which trusted-sender rules outrank authentication, because attackers on lookalike domains are counting on exactly that override.
  • Score behavior, not just credentials. Authentication and reputation both passed this message along. What stopped it was a model weighing a hidden script, an unauthenticated lookalike sender, and a high-value recipient together. Microsoft's 2024 Digital Defense Report and CISA phishing guidance both point the same direction: layered, behavior-aware defense beats any single control.

The attacker's whole plan depended on one habit: that an image extension earns a pass. The moment you stop trusting the extension and start reading the file, the disguise falls apart.

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com.
DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES.
When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL.
Funding Agreement, Forged Approval: How a Three-Layer Redirect Chain Targeted Finance Leadership A phishing campaign impersonating a document-signing platform targeted a VP of Finance with a forged funding agreement.
Hungarian Bank, Nepali Domain, Broken Encoding: How a K&H Bank Phishing Kit Exposed Itself A K&H Bank impersonation campaign sent from a Nepali domain used DKIM signing and hotlinked the real bank's favicon.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.