Microsoft Outlook stops displaying inline SVG images used in attacks

Microsoft says Outlook for Web and the new Outlook for Windows will no longer display risky inline SVG images that are being used in attacks.

This change began rolling out worldwide in early September 2025 and is expected to be completed for all customers by mid-October 2025.

Redmond added that this change will affect less than 0.1% of all images sent using Outlook, so the actual impact after the rollout ends is expected to be minimal.

“Inline SVG images will no longer be displayed in Outlook for Web or the new Outlook for Windows. Instead, users will see blank spaces where these images would have appeared,” the company said in a Microsoft 365 Message Center update on Tuesday.

“SVG images sent as classic attachments will continue to be supported and viewable from the attachment well. This update helps mitigate potential security risks, such as cross-site scripting (XSS) attacks. “

Malicious actors have extensively used SVG (Scalable Vector Graphics) files over the past few years to deploy malware and display phishing forms. Cybersecurity companies have also reported a significant increase in phishing attacks using this particular document format, driven by PhaaS platforms such as Tycoon2FA, Mamba2FA, and Sneaky2FA.

For instance, Trustwave reported in April that SVG-based attacks have pivoted toward phishing campaigns, seeing a staggering 1800% increase between early 2025 and April 2024.

The retirement of inline SVG images in Microsoft Outlook is part of a broader effort to remove or disable Office and Windows features that have been abused in attacks targeting Microsoft customers.

See also  Microsoft asks customers for feedback on reported SSD failures

In June, Microsoft also announced that Outlook Web and the new Outlook for Windows will start blocking .library-ms and .search-ms file types. These file types were previously used in attacks targeting government entities and have been exploited in phishing and malware attacks since at least June 2022. The complete list of blocked Outlook attachments is available on Microsoft’s documentation website.

Since 2018, Redmond has also expanded support for its Antimalware Scan Interface (AMSI) to block attacks using Office VBA macros in Office 365 client apps, started blocking VBA Office macros by default, introduced XLM macro protection, disabled Excel 4.0 (XLM) macros, and began blocking untrusted XLL add-ins by default across Microsoft 365 tenants.

In April 2025, it also disabled all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps, following its announcement in May 2024 that it would deprecate VBScript in the second half of 2024.

Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.

Don’t miss the event that will shape the future of your security strategy


Source link
Related Articles
See also  Windows 11 gets new Black Screen of Death, auto recovery tool

Related posts:

  1. Ransomware gangs join attacks targeting Microsoft SharePoint servers
  2. Microsoft shares temp fix for Outlook encrypted email errors
  3. Microsoft now enforces MFA on Azure Portal sign-ins for all tenants
  4. VirusTotal finds hidden malware phishing campaign in SVG files
Exit mobile version