How do you handle the security issues of SVGs?

We got just an email with an EML or MSG attachment the other day. The attachment has an attachment of an SVG file with an empty name. That's scalable vector graphics so I thought it was about as safe as a GIF. Apparently you can put hover effects and buttons and all kinds of crap in there. Anyway, it was a fake cloudflare rerouter into a fake MS login, all contained within the file! Check it out here:
https://imgur.com/a/tMRreSR
I assume it has a form that POSTs to a malicious site or something. Didn't know SVGs could do that. They're basically HTML files at this point, I guess. I mean seriously, look at this crazy shit
https://dev.w3.org/SVG/tools/svgweb/samples/svg-files/USStates.svg

So I added SVG to our blocked attachment rule list. Today, a dozen emails got blocked because of SVG "attachments" embedded in customer and vendor email signatures. It probably wouldn't have filtered the SVG anyway since it was attached to an email file (MSG or EML) anyway. But I can't block those because some services still forward emails that way.

Is there a solution here?

Madison Howard

Share Your Mood

CeC-P

How do you handle the security issues of SVGs?