Base64-encoding an SVG attack within an iframe and hiding it all in an EML attachment

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365

ATTACK TYPE: Credential Phishing

Last week’s Attack Spotlight looked at SVG attachments containing malicious code. The same day we posted that blog, we also launched a few new platform features, including the beta.scan_base64 function that identifies base64-encoded strings within text content and decodes them into readable strings. One of the key use cases for this functionality is analyzing HTML attachments for encoded data.

A few days later, the stars aligned and we saw a credential phishing attack featuring an EML attachment used to hide an SVG file that contained a base64-encoded attack within an iframe. Here’s how the attack worked:

• The target is sent an email featuring an urgent subject: ACH Deposit Issue – Immediate Attention Needed
• The message is blank, but has an attached EML file. Some email clients will automatically render EML files, a behavior we covered in a recent EML attachment Attack Spotlight.
• When the EML is rendered within the email client, it has its own SVG attachment. This attachment has a filename that makes it appear to be a voicemail recording.

• If opened, the SVG will launch in a browser window and the target is taken to a fake Microsoft login screen for phishing their credentials.

Decoding the attack

We’ve covered both EML- and SVG-based attacks in previous blogs. What makes this attack interesting is the numerous layers of evasion.

Sublime’s file.explode enrichment function performs data collection and/or file extraction on attachments. In the case of this message, recursive file explosions first identified the SVG within the EML, and then the base64-encoded attack within the SVG:

The beta.scan_base64 enrichment then decodes that text to reveal an HTML document that will be used to launch the attack.

This HTML then contained a portion of code with custom encoding, further hiding the attack type. At this point, there are more than enough signals for Sublime to label this message as malicious. But Sublime’s Detection team wanted to dig deeper.

Using the obfuscation code provided right within the HTML, we built a de-obfuscation function to identify the value of varcdcxho. Here’s how we did it:

import re

def deobfuscate(encoded_str):
    try:
        # Step 1: Remove unwanted characters (xqzmv)
        cleaned_str = re.sub(r"[xqzmv]", "", encoded_str)

        # Step 2: Reverse the string before splitting
        reversed_str = cleaned_str[::-1]

        # Step 3: Extract hex values
        hex_values = reversed_str.split("-")

        # Step 4: Convert hex values into chars
        decoded_chars = []
        for h in hex_values:
            try:
                decimal_value = (int(h, 16) - 7) // 3  # Use Math to crush evil

                # Ensure it's a valid ASCII character
                if 32 <= decimal_value <= 126:
                    decoded_chars.append(chr(decimal_value))

            except ValueError:
                continue  # Skip invalid hex values

        # Step 5: Join the decoded output 
        decoded_url = "".join(decoded_chars).strip()

        return decoded_url

    except Exception as e:
        return f"Decoding error: {str(e)}"

# naughty strings
encoded_str = "eb-eb-af-d21-961-1f-e41-bqe-661-901-[very redacted]"

# do it
final_url = deobfuscate(encoded_str)

# win
print(f"Deobfuscated URL: {final_url}")

‍

This de-obfuscation gave us the attack URL, which was hosted on compromised infrastructure that has since been remediated. Combining all the tactics within this attack, we saw:

1. Attached EML that autolaunches in certain clients
2. Attached SVG disguised as a voicemail
3. An iframe within the SVG that’s smuggling malicious code
4. Base64 encoding of the smuggled malicious code
5. Custom obfuscation of the payload URL within the base64-decoded attack

All that was to phish credentials, highlighting the length attackers will go, the novel approaches they’ll apply, and most importantly, the perceived value of your login credentials.

Detection signals

Sublime's AI-powered detection engine flagged this message as malicious. The top signals in this attack are:

• EML attachment: The message contains an attached EML. Attackers will hide attacks within an attached EML, rather than the main message, to avoid detection.
• SVG with iframe: An attached SVG contains iframe code, which can be used for smuggling malicious code.
• Base64 encoding within attachment: The attached SVG contains base64-encoding within its XML structure. Attackers will encode their payload to avoid detection.

Additionally, the Attachment: EML with Embedded Javascript in SVG file (unsolicited) Detection Rule includes the beta.scan_base64 enrichment to detect this type of attack.

And a special shout out to Kevin K. in the Sublime Community Slack for being the first person to let us know they’re using the new beta.scan_base64 enrichment 🎉🎉🎉

Prevent credential phishing with Sublime

Sublime detects and prevents smuggled and encoded email-based threats. Start your free account today, in the cloud or self-hosted, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

• SVG phishing with smuggled JS and adversary in the middle tactics
• Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits
• Credential phishing Charles Schwab account holders with 2FA bypass