Ransomware, Phishing, Threat Intelligence, Email security

Tykit SVG phishing kit tied to attacks targeting M365 credentials

A series of phishing attacks using SVG image attachments as a lure has been tied to a suspected phishing-as-a-service (PhaaS) operation affecting hundreds of victims, ANY.RUN reported Tuesday.

The phishing template, dubbed Typical phishing kit or Tykit by ANY.RUN, uses a distinctive SVG image with a light blue background and a dashed blue line border, which imitates a typical pop-up and distracts the user while JavaScript runs in the background.

One version of the SVG is labeled a “Secure Document Viewer” with the message “Loading secure content…” displayed in the center. Another displays a number pad and prompts the user to enter the last four digits of their phone number to access a secure portal, although the numbers entered do not make a difference.

The JavaScript embedded into these SVGs redirects the victim to a “trampoline” page that then sends them to the main phishing website, which displays a Cloudflare Turnstile CAPTCHA and then a fake Microsoft 365 login page.

ANY.RUN analyzed the phishing infrastructure and discovered hundreds of other samples with similar attack flows, which they were able to tie together by command-and-control (C2) URLs all containing the string “segy.”

Some of the top countries targeted by Tykit included the United States, Canada and countries in Southeast Asia, and top targeted industries included finance, IT, government, professional services and construction. Attacks using the Tykit template appeared as early as May 2025, with activity peaking in September and October 2025.

ANY.RUN assessed that the SVG templates, fake M365 login pages, C2 infrastructure and overall attack flow were likely the work of a phishing-as-a-service (PhaaS) operation.

The attack chain follows multiple steps with distinct C2 logic; requests and responses sent to and from the C2 server include JSON objects with specific fields that can be used to identify Tykit attacks. The phishing pages use an adversary-in-the-middle (AitM) technique to replay the stolen credentials and return an error message if an incorrect password is entered.

ANY.RUN notes SVG files should be treated with caution, as they are increasingly being used as attachments in phishing campaigns. Signs that SVGs contain malicious code include obfuscation, eval() calls and script logic that redirects to another domain.

Indicators of compromise (IOCs) for Tykit can also be used to detect and block attacks, including requests to any of the “segy” domains identified by ANY.RUN and requests containing JSON objects matching those used by Tykit.  

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BotnetCorruptionCovert ChannelsDarknetData MiningDefacementPassword CrackingPost Office Protocol, Version 3 (POP3)ReconnaissanceStore-and-Forward

You can skip this ad in 5 seconds