SANS ISC: SVG phishing wave abuses a non-standard MIME type to slip past WAF/email pattern-matching [SINGLE-SOURCE]

SANS ISC handler Xavier Mertens documented a fresh wave of phishing emails carrying SVG attachments whose embedded JavaScript is obfuscated with combined Base64 + XOR encoding and, on decode, redirects the victim via window.location.href to a credential-harvesting page (SANS ISC, 2026-06-02). The notable evasion is the use of <script type="application/ecmascript"> instead of the standard text/javascript — browsers execute both identically, but email-security and WAF products that pattern-match specifically on text/javascript can miss the non-standard declaration. Because SVGs open natively in Windows browsers, the redirect fires on file open with no extra click. [SINGLE-SOURCE] (SANS Internet Storm Center). Detection: flag email attachments of Content-Type: image/svg+xml that contain embedded <script> elements; treat the application/ecmascript/application/javascript MIME variants as equivalent to text/javascript in inspection rules; sandbox SVG attachments before delivery and watch newly-registered low-cost TLDs (the campaign used a .cfd domain) at the proxy.