Medium Severity

Attachment: SVG file with HTML entity encoded href attributes

Labels

Malware/Ransomware
Credential Phishing
Evasion
HTML smuggling
File analysis
Content analysis

Description

Detects SVG file attachments containing href attributes with three or more consecutive HTML numeric entity references, a technique used to obfuscate malicious URLs and evade security scanning.

References

No references.

Sublime Security
Created May 20th, 2026 • Last updated May 20th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          .file_extension == "svg"
          or .content_type in ("image/svg+xml")
          or .file_type == "svg"
        )
        // href value starting with 3+ HTML numeric entity references
        and regex.icontains(file.parse_text(.,
                                            encodings=[
                                              "ascii",
                                              "utf8",
                                              "utf16-le"
                                            ]
                            ).text,
                            'href\s*=\s*["\x27]\s*(?:&#x?[0-9a-f]+;\s*){3,}'
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started