Microsoft Limits Inline SVG Images in Outlook to Combat Phishing and Malware

Published 2025-10-06 02:52:41 | www.techradar.com
Microsoft Outlook Svg Phishing Malware

๐ŸŽ™๏ธ Paranoid Newscast

๐Ÿ“„ Download Executive Briefing Pack (PDF)
Microsoft is updating Outlook to stop displaying inline SVG images in an effort to mitigate security risks associated with phishing and malware. While SVG attachments will still be supported, the change aims to reduce the potential for cross-site scripting (XSS) attacks.

Image credit: Shutterstock / JarTee

Microsoft continues retiring risky features across Office and Windows platforms for protection. The company balances user impact with security, ensuring SVG attachments remain fully supported. Malicious use of SVG files has become more and more common in recent years, with attackers relying on the format to deliver malware and build phishing pages.

In response, Microsoft is changing how Outlook handles this type of content and will now prevent inline SVG images from appearing in Outlook for Web or in the new Outlook for Windows. In a Microsoft 365 Message Center update, the tech giant said, "Inline SVG images will no longer be displayed in Outlook for Web or the new Outlook for Windows. Instead, users will see blank spaces where these images would have appeared."

A small impact is expected as Microsoft states that fewer than 0.1% of images in Outlook use this method. The decision is part of Microsoftโ€™s wider strategy to reduce the number of features that attackers can abuse. Earlier in 2025, Outlook Web and the Outlook for Windows began blocking .library-ms and .search-ms files which had been exploited in attacks against government targets since at least 2022.

Microsoft has also implemented protections against macros and add-ins in its productivity software, including blocking VBA Office macros by default and adding protection for Excel 4.0 macros. The full list of formats now blocked is available in Microsoftโ€™s documentation.