Some experts have warned of a peculiar new phishing scam that uses blank graphics to trick victims into giving over personal information.

Researchers at email security firm Avanan have dubbed this format “blank image,” and it consists of malicious actors including empty.svg files encoded with Base64 as HTML attachments in order to evade detection of URL redirection.

In this attack, the esignature platform DocuSign is the intended victim, and the fraudsters’ method of delivery is an email purporting to come from DocuSign but really carrying a malicious HTML attachment that, when opened, displays a blank picture.

Trick with a blank picture

The catch is that the picture contains Javascript that, in a previously unseen technique, directs them to a malicious URL. Because of this, many security systems will likely miss the danger.

We have documented many instances of fraud on DocuSign, which is surprising given the platform’s widespread use and high level of trust.

According to Avanan, “this assault expands upon the surge of HTML attachment attacks that we’ve lately witnessed targeting our clients, whether they be SMBs or corporations.”

According to the author, “most security systems are ineffective against these assaults since they build obfuscation atop obfuscation.”

Users, according to Avanan’s advice, should be suspicious of emails that include HTML (.htm) attachments. In order to better safeguard their employees, businesses might prohibit the receipt of emails containing such files, treating them like they would any other executable (like .exe files).