Experts have described a strange new phishing scam using blank images to scam users, and you may not even know it. The form, described as a “blank image,” is used by threat actors to embed empty.svg files encoded with Base64 inside HTML attachments in order to avoid URL redirect detection. DocuSign, the e-signature platform, is the target in this case, with scammers sending a seemingly legitimate DocuSign email with an HTML attachment that, when clicked, opens up what appears to be a blank image.
About “blank image” phishing:
A strange phishing technique is being used to hide empty SVG files inside HTML attachments, making them appear to be DocuSign documents. Researchers at email security company Avanan have named it “Blank Image.” They explain that the attack allows phishing actors to circumvent the detection of redirect URLs. The phishing email sent to potential victims purports to be a DocuSign document, a widely used brand that many recipients are familiar with from their office jobs. The victim is asked to examine and sign the sent document, called Scanned Remittance Advice.htm, because HTML files are often ignored by email security systems and thus have higher chances of reaching the target’s inbox. If a victim clicks on the button to view the completed document, they are taken to a legitimate DocuSign website, but if they attempt to open the HTML attachment, the Blank Image attack is activated.
The SVG is empty on the victim’s screen in the DocuSign campaign that the Avanan researcher identified, but the URL redirect code still runs in the background. Emails that have HTML code or HTML attachments should be treated with caution by users.