New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd)

This report details a phishing campaign delivering malicious SVG attachments that contain minimal JavaScript (using application/ecmascript) which decodes a Base64+XOR payload and redirects victims to phishing pages hosted on domains using the cheap ".cfd" TLD (example: chinougoo.cfd). The technique aims to evade security tools that look for common script MIME types or simple JavaScript patterns, and the report includes code snippets, the XOR key construction, and a sample redirect, making it actionable for detection and mitigation.