📢 When a voicemail notification is more than it seems

🚨 Subject:

Malicious SVG files masquerading as a voicemail attachment

🔎 What’s Happening?

Cloudflare Email Security recently uncovered a large-scale malicious email campaign that leverages  a seemingly harmless vector—voicemail notifications. Attackers are sending emails with subject lines like “You’ve Got a New Voicemail” or “New Message Waiting in Your Voicemail,” accompanied  by an attachment posing as a voicemail recording. The attached file is actually an SVG (Scalable Vector Graphics) file–a type of image format that uses mathematical formulas instead of pixels, allowing it to scale without losing quality. While SVGs are commonly used for logos and illustrations, they are not used for audio recordings.  Most users wouldn’t recognize this distinction, making the tactic particularly deceptive. Within these SVG files, attackers embed malicious JavaScript, effectively disguising the threat as a routine voicemail message.

⚠️ Why It Matters

📞 Voicemail-to-email is widely used.  With over 98% of Americans owning a mobile phone–nearly 331 million people–many rely on voicemail-to-email features to manage messages. Because this format is so familiar and trusted, attackers are exploiting it to increase the likelihood that victims will open malicious emails.

💾 The threat is in the file. Unlike phishing attacks that trick you  into entering credentials, this tactic  relies on users opening an infected file. One click can compromise your system. 

🛠️ How Cloudflare Stops It

At Cloudflare, our detection engine analyzes a broad set of signals to identify malicious emails —whether they include harmful links, dangerous  attachments, or are sent by suspicious actors.  In this case, we uncovered distinct patterns  in the attacker’s approach  and developed a targeted detection method that flags emails which: 

• Are one-off (non-threaded) messages
• Lack association with a verified brand
• Include attachments with .svg file extensions
• Match a metadata signature that suggests JavaScript capable of rendering malicious code

By combining structural email analysis with file behavior heuristics, Cloudflare blocks these threats before they reach your inbox.

This article kicks off our new Phishing Detection series, where we break down the latest trends in email-based attacks—and how Cloudflare detects and stops them before they reach your inbox.

—————————————————————————————————————————

Learn more 

Read more details about how our email security service works and request a free phishing risk assessment to see how your existing security controls stack up.