Microsoft Outlook Blocks Malicious SVG Image Attacks
▼ Summary
– Microsoft is disabling inline SVG image display in Outlook for Web and new Outlook for Windows to block security attacks.
– This rollout started in early September 2025 and will complete globally by mid-October 2025, affecting under 0.1% of images.
– Users will see blank spaces instead of inline SVGs, but SVG files sent as attachments remain viewable and supported.
– SVG files have been widely exploited for phishing and malware, with a reported 1800% increase in attacks between early 2025 and April 2024.
– This change is part of broader Microsoft security efforts, including blocking other risky file types and disabling features like ActiveX controls and VBScript.
Microsoft has implemented a significant security update for its Outlook email platforms, blocking the display of potentially dangerous inline SVG images within messages. This proactive measure aims to counter a rising wave of cyberattacks that exploit this specific file format. The rollout for Outlook on the web and the new Outlook for Windows started globally in early September 2025, with completion anticipated for all users by the middle of October.
The company estimates this modification will impact fewer than 0.1% of all images transmitted through Outlook, suggesting the practical effect on most users will be negligible once the update is fully deployed. In a recent Microsoft 365 Message Center announcement, the firm clarified that emails containing these inline SVG graphics will now show empty spaces where the images would normally appear. It’s important to note that SVG files sent as traditional email attachments remain fully supported and can be viewed safely from the dedicated attachment area.
Cybercriminals have increasingly turned to Scalable Vector Graphics (SVG) files in recent years as a vehicle for distributing malware and presenting deceptive phishing forms. Security researchers have documented a substantial surge in phishing campaigns utilizing this format, a trend largely fueled by Phishing-as-a-Service platforms with names like Tycoon2FA, Mamba2FA, and Sneaky2FA. For example, a report from Trustwave in April highlighted a dramatic 1800% increase in SVG-based phishing attacks observed between the start of 2025 and April of the previous year.
This decision to retire inline SVG support is one component of a larger, ongoing initiative by Microsoft to eliminate or deactivate features across its Office and Windows ecosystems that have been repeatedly weaponized against its user base. Just a few months prior, in June, the company revealed that Outlook Web and the new Outlook for Windows would also begin blocking .library-ms and .search-ms file types. These specific file extensions have a history of being leveraged in sophisticated attacks aimed at government agencies and have been actively exploited in phishing and malware distribution since mid-2022. A comprehensive list of all file types now blocked by Outlook is accessible on Microsoft’s official documentation portal.
Microsoft’s security hardening efforts extend back several years. Since 2018, the company has broadened the capabilities of its Antimalware Scan Interface (AMSI) to thwart attacks that utilize Office VBA macros. This was followed by a series of decisive actions, including blocking VBA Office macros by default, introducing enhanced protections for XLM macros, disabling the legacy Excel 4.0 (XLM) macros, and setting a default policy to block untrusted XLL add-ins across its Microsoft 365 tenant infrastructure. More recently, in April 2025, the tech giant disabled all ActiveX controls within the Windows versions of its Microsoft 365 and Office 2024 applications. This move came after its May 2024 announcement regarding the planned deprecation of VBScript, scheduled for the latter half of that same year.
(Source: Bleeping Computer)
