A new phishing campaign uses AI-generated code to disguise malicious scripts inside SVG files that appear as blank business documents.
According to Techradar, Microsoft researchers uncovered a phishing campaign that hides credential-stealing malware in SVG files disguised as PDF business charts. The attackers, using a compromised small business email account, sent these files through the BCC field to avoid detection. The email attachment appeared to be a standard business document, but the underlying SVG file executed malicious code.
SVG (Scalable Vector Graphics) files are widely used for displaying charts and images on the web. Because SVGs support embedded scripts, attackers can insert malicious JavaScript into them. In this case, Microsoft found the malware was not through cryptography, but rather disguised using strings of business-related terms like “revenue” and “shares.” A hidden script then decoded those terms into instructions for browser redirection, data harvesting, and user tracking.
The fake charts appeared blank to the human eye, offering no visual clues that the file contained malware. Microsoft’s Security Copilot attributed the code's structure and unusual verbosity to generative AI tools, noting it was “not something a human would typically write from scratch.”
Microsoft stated that the sophistication of the obfuscation technique strongly suggests the use of AI-generated code. The language patterns, redundancy, and structural complexity pointed to non-human authorship. The attack was initiated from a real business email account, making it more believable and harder to filter with traditional security tools.
The SVG campaign shows how attackers are combining AI with trusted file formats to slip past security tools. Emails sent from real business accounts make the messages look legitimate, and the use of blank business charts removes any visual warning signs for users. Because the malicious code is hidden in scripts written to look like ordinary business terms, traditional filters that scan for obvious obfuscation fail to catch it.
Paubox recommends Inbound Email Security to defend against these tactics. Its generative AI examines the context, tone, and behavior of email messages to flag activity that doesn’t align with normal communication, even when the source and attachment appear trustworthy. Threats are stopped before reaching inboxes, giving organizations stronger protection against phishing campaigns that weaponize everyday business files.
SVGs can embed scripts and are less commonly flagged as dangerous, allowing attackers to bypass traditional email filters more easily than with high-risk formats like ZIP or EXE.
The code in this campaign was unusually verbose, used redundant structures, and lacked direct utility - hallmarks of output from generative AI tools rather than hand-written scripts.
Attackers made the charts invisible by manipulating styling and layering. While the visual appears empty, the underlying code still runs in the background to execute malicious actions.
The script uses a mapping system that translates seemingly harmless business-related terms into JavaScript commands, allowing the malware to function without exposing obvious code.
Security teams should expand detection rules to include behavior-based anomalies and invest in threat intelligence systems capable of recognizing obfuscation patterns produced by AI models.