MITRE ATT&CK Technique
Description
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `<script>` tags that enable adversaries to include malicious JavaScript payloads. However, SVGs may appear less suspicious to users than other types of executable files, as they are often treated as image files. SVG smuggling can take a number of forms. For example, threat actors may include content that: * Assembles malicious payloads(Citation: Talos SVG Smuggling 2022) * Downloads malicious payloads(Citation: Cofense SVG Smuggling 2024) * Redirects users to malicious websites(Citation: Bleeping Computer SVG Smuggling 2024) * Displays interactive content to users, such as fake login forms and download buttons.(Citation: Bleeping Computer SVG Smuggling 2024) SVG Smuggling may be used in conjunction with [HTML Smuggling](https://attack.mitre.org/techniques/T1027/006) where an SVG with a malicious payload is included inside an HTML file.(Citation: Talos SVG Smuggling 2022) SVGs may also be included in other types of documents, such as PDFs.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2025-03-25T15:31:09.697Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may smuggle data and files past content filters '
'by hiding malicious payloads inside of seemingly benign SVG '
'files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or '
'Scalable Vector Graphics, are vector-based image files '
'constructed using XML. As such, they can legitimately include '
'`<script>` tags that enable adversaries to include malicious '
'JavaScript payloads. However, SVGs may appear less suspicious '
'to users than other types of executable files, as they are '
'often treated as image files. \n'
'\n'
'SVG smuggling can take a number of forms. For example, threat '
'actors may include content that: \n'
'\n'
'* Assembles malicious payloads(Citation: Talos SVG Smuggling '
'2022)\n'
'* Downloads malicious payloads(Citation: Cofense SVG '
'Smuggling 2024)\n'
'* Redirects users to malicious websites(Citation: Bleeping '
'Computer SVG Smuggling 2024)\n'
'* Displays interactive content to users, such as fake login '
'forms and download buttons.(Citation: Bleeping Computer SVG '
'Smuggling 2024)\n'
'\n'
'SVG Smuggling may be used in conjunction with [HTML '
'Smuggling](https://attack.mitre.org/techniques/T1027/006) '
'where an SVG with a malicious payload is included inside an '
'HTML file.(Citation: Talos SVG Smuggling 2022) SVGs may also '
'be included in other types of documents, such as PDFs. ',
'external_references': [{'external_id': 'T1027.017',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1027/017'},
{'description': 'Adam Katz and Jaeson Schultz. (2022, '
'December 13). HTML smugglers turn to '
'SVG images. Retrieved March 25, '
'2025.',
'source_name': 'Talos SVG Smuggling 2022',
'url': 'https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/'},
{'description': 'Bernard Bautista and Kevin Adriano. '
'(2025, April 10). Pixel-Perfect '
'Trap: The Surge of SVG-Borne '
'Phishing Attacks. Retrieved April '
'14, 2025.',
'source_name': 'Trustwave SVG Smuggling 2025',
'url': 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/'},
{'description': 'Lawrence Abrams. (2024, November '
'17). Phishing emails increasingly '
'use SVG attachments to evade '
'detection. Retrieved March 25, 2025.',
'source_name': 'Bleeping Computer SVG Smuggling 2024',
'url': 'https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/'},
{'description': 'Max Gannon. (2024, March 13). SVG '
'Files Abused in Emerging Campaigns. '
'Retrieved March 25, 2025.',
'source_name': 'Cofense SVG Smuggling 2024',
'url': 'https://cofense.com/blog/svg-files-abused-in-emerging-campaigns/'}],
'id': 'attack-pattern--78b9e70d-1605-459c-b23d-e3a25036968c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T19:58:43.263Z',
'name': 'SVG Smuggling',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Suraj Khetani (@r00treaver)',
'Dhiraj Mishra (@RandomDhiraj)'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.0'}