Attachment: SVG file with hyperlinks and cursor styling

calendar May 20, 2026  ·
Share on: linkedin copy

Detects inbound messages containing SVG attachments that include clickable hyperlink elements and CSS pointer cursor styling, which may be used to deceive recipients into clicking malicious links disguised as legitimate images.

Sublime rule (View on GitHub)

 1name: "Attachment: SVG file with hyperlinks and cursor styling"
 2description: "Detects inbound messages containing SVG attachments that include clickable hyperlink elements and CSS pointer cursor styling, which may be used to deceive recipients into clicking malicious links disguised as legitimate images."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension == "svg"
10            or .content_type in ("image/svg+xml")
11            or .file_type == "svg"
12          )
13          and any(file.explode(.), any(.scan.xml.tags, . == "a"))
14          and regex.icontains(file.parse_text(., encodings=["ascii", "utf8"]).text,
15                              'cursor\s*=\s*["\x27]pointer'
16          )
17  )  
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Evasion"
22  - "Image as content"
23detection_methods:
24  - "File analysis"
25  - "XML analysis"
26  - "Content analysis"
27id: "01347141-5757-5bb6-a7ee-0930cee86d16"
to-top