Overview
- The campaign targeted U.S. organizations using a compromised small-business mailbox to send self-addressed emails with real recipients hidden in Bcc and an attachment named like a PDF but actually an SVG.
- The file (“23mb – PDF- 6 pages.svg”) redirected users to a CAPTCHA page and was likely intended to lead to a fake sign-in form to harvest credentials, though later stages were blocked.
- The SVG was structured as a faux business analytics dashboard, with business terms such as revenue and operations encoded as hidden attributes that JavaScript decoded into malicious actions like redirects, fingerprinting, and session tracking.
- Microsoft’s Security Copilot assessed the code as almost certainly LLM-assisted based on overly descriptive naming, over-engineered modularity, verbose generic comments, formulaic obfuscation, and unusual CDATA/XML usage.
- Defender for Office 365 stopped the attack by flagging message-context anomalies and a known phishing domain, as Microsoft urged Safe Links, ZAP, phishing-resistant authentication, and cloud-delivered protection, with other vendors noting concurrent multi-stage campaigns involving .XLAM files and XWorm RAT.