Email has a problem — and it’s not getting fixed. Less than 10% of email traffic is now genuine, the rest is at best annoying spam and at worst much more dangerous than that. Despite the best efforts of Google, Microsoft and others, email remains painful and wedded to an architecture that’s long past its due date. It’s time for a rethink.
The latest Email Threat Trends Report from VIPRE paints a bleak picture. “Even though we’ve been doing this for years, we still found email attack trends this quarter that hit us as new and concerning.” The team says “over 90% of all emails this quarter were classified as spam,” but it’s their malware warnings that will stand out.
I’ve warned before that PDF attachments have become the favored attack tool, with bad actors preying on the view amongst many users that they’re benign, safer than a Word or Excel document. But VIPRE says PDFs are now “barely retaining their lead. PDFs are usually uncontested contenders (much like Microsoft) but SVG files have seemingly come out of nowhere to take up a competitive share of malicious space.”
SVG files have been flagged for years as a security risk, but that threat is now surging as attackers find ways to bypass defenses. “Up until this point, SVGs have been recognized by email security tools as generally benign image files, which is why attackers are now having so much success hiding their nefarious exploits in them.”
While in Q1, PDFs still topped the list of “attackers’ favorite attachments of choice,” it was a close run contest with SVGs — 36% to 34%.
As Sophos explains, “the attacks, which begin with email messages that have .svg file attachments, started to spread late last year, and have ramped up significantly since mid-January. SVG files are “resizable, vector-based images” that should open in the default browser on a Windows PC. “But SVG files are not just composed of binary data, like the more familiar JPEG, PNG, or BMP file formats. SVG files contain text instructions in an XML format for drawing their pictures in a browser window.”
According to KnowBe4, between January and March, SVG attacks saw “a 245% increase compared to attacks sent between October and December… The largest spike to date occurred on March 4th, with SVGs accounting for 29.5% of all malicious attachments.”
This means they can contain malicious instructions and are not restricted to their core imaging functionality. “The SVG files used in attacks include some instructions to draw very simple shapes, such as rectangles,” Sophos says, “but also contain an anchor tag that links to a web page hosted elsewhere.” And that triggers a webpage to open, which will be a socially engineered lure to log into a Microsoft, Google or similar account.
As such — and just as with PDFs, this means if you see an SVG attachment that is not specifically expected from someone you know, then delete the email — it’s an attack. The text in front of the .SVG filetype will make it look like something else, such as a video or a normal image. But don’t be fooled. Hit delete every time.