Phishing never really disappears. It adapts.
In 2025, the biggest shift is happening inside the images that reach inboxes every day. Security researchers are seeing a steady rise in email attacks that look like simple graphics but hide active code. The new method uses formats such as SVG or PNG to pass through scanning systems that normally block malicious links or scripts.
Gmail and Outlook users are at the center of this change. Both platforms now face attacks that appear visually harmless. The message can show a company logo, a receipt, or a shipping label, but a single click can redirect the user to a fake login page or install hidden software.
Hidden code inside ordinary files
SVG files are common on websites because they scale cleanly and stay sharp at any size. That same flexibility makes them useful to attackers. These image files can carry JavaScript code inside their structure, turning a picture into a delivery tool for malware.
A report from Hoxhunt found that by March 2025, nearly fifteen percent of all phishing attachments were based on SVG images. The level later dropped to around five percent by midyear, but the pattern was already clear. Data from Trustwave supported the trend, showing an eighteen-fold jump in image-based attacks from April 2024 to early 2025.
The reason this works lies in how email systems read attachments. Most scanning tools look for text-based threats, domain names, or familiar phishing patterns. Images usually pass through untouched. Many corporate servers even allow SVG files by default because they are widely used in business communications and web design. That default setting is now one of the weakest points in many networks.
New targets and tactics
Attackers are no longer sending mass spam. They prefer smaller, more precise campaigns. Finance teams receive invoices that look legitimate, HR staff see recruitment forms, and shipping departments get branded delivery notices. Every element looks correct... the colors, layout, even the font. That realism reduces suspicion and increases the chance of a click.
AI design tools make these fakes more convincing. Attackers can generate near-perfect replicas of company visuals in seconds. Once inside, the embedded link in the image leads to a spoofed login portal where victims unknowingly submit their credentials.
How defenses are adapting
Security firms are testing deeper parsing tools that can look inside image code and detect hidden links. These tools examine metadata and track any connections the file tries to make when opened. The process is heavy on resources and not yet common among smaller organizations. For many companies, the easier fix is awareness training. Employees are reminded to avoid clicking attachments from unknown sources and to verify unexpected emails directly with senders.
A growing blind spot
Phishing depends on trust. When users learn to avoid suspicious links, attackers move to something that feels safe. Images have always been that space, neutral, familiar, and often ignored by filters. That trust is now the weak point.
The concern among analysts is that this approach will expand beyond static graphics. Short clips, interactive visuals, or AI-generated templates could form the next wave of image-based attacks. As visual content becomes the standard for communication, the line between design and deception continues to blur.
Email filters can catch most text-based scams, but they struggle with the visual kind. The difference is subtle yet dangerous: what looks like a harmless image can now act as a doorway. The safest approach remains the simplest one... pause before opening any attachment that arrives out of context, no matter how familiar the logo appears.
Notes This post was edited/created using GenAI tools.
Read next: AI Chatbot Traffic Data Shows Market Shift: Gemini and Incumbents Gain as ChatGPT’s Share Slips
