The attack begins with an email that appears to have been sent by DocuSign, containing a link and an HTML attachment. The mail requests the review and signature of a document referred to as a “payment notice.” If the recipient clicks the “View Entire Document” button, they are directed to a legitimate web page, but the attachment is not. If the file is opened, the attack begins. The attached file includes a Base64-encoded SVG image containing Javascript code that redirects to the malicious link.
Cybercriminals use this technique to hide their true intent as it contains a legitimate link, allowing the email to bypass link checking and security scanners. Experts recommend caution with emails that contain HTML and suggest blocking all HTML attachments by treating them as executables.
According to Avanan, the novelty of this attack is the use of an empty image with active content inside it, that is, a javascript image, which redirects to a malicious URL. It is important to note that this type of attack is unique and so far has not been detected by specialized services such as VirusTotal.