Medium Severity

Attachment: Embedded Javascript in SVG file (unsolicited)

Labels

Description

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

References

https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b

https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961

https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275

https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440

Sublime Security

Created Aug 17th, 2023 • Last updated Oct 4th, 2023

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (.file_extension =~ "svg" or .file_extension in $file_extensions_common_archives)
        and any(file.explode(.),
                .file_extension == "svg"
                and "script" in~ .scan.xml.tags
                // unclear if this is necessary, but it's been observed
                // in all payloads we've seen, so we'll include it
                // as an extra FP precaution
                and any(.scan.strings.strings, strings.icontains(., "CDATA"))
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

MQL Console

•

View MQL Guide

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.