Microsoft says Outlook for Internet and the brand new Outlook for Home windows will not show dangerous inline SVG pictures which can be being utilized in assaults.
This transformation started rolling out worldwide in early September 2025 and is anticipated to be accomplished for all prospects by mid-October 2025.
Redmond added that this variation will have an effect on lower than 0.1% of all pictures despatched utilizing Outlook, so the precise impression after the rollout ends is anticipated to be minimal.
“Inline SVG pictures will not be displayed in Outlook for Internet or the brand new Outlook for Home windows. As an alternative, customers will see clean areas the place these pictures would have appeared,” the corporate mentioned in a Microsoft 365 Message Heart replace on Tuesday.
“SVG pictures despatched as basic attachments will proceed to be supported and viewable from the attachment nicely. This replace helps mitigate potential safety dangers, resembling cross-site scripting (XSS) assaults. “
Malicious actors have extensively used SVG (Scalable Vector Graphics) recordsdata over the previous few years to deploy malware and show phishing kinds. Cybersecurity corporations have additionally reported a big enhance in phishing assaults utilizing this explicit doc format, pushed by PhaaS platforms resembling Tycoon2FA, Mamba2FA, and Sneaky2FA.
For example, Trustwave reported in April that SVG-based assaults have pivoted towards phishing campaigns, seeing a staggering 1800% enhance between early 2025 and April 2024.
The retirement of inline SVG pictures in Microsoft Outlook is a part of a broader effort to take away or disable Workplace and Home windows options which were abused in assaults concentrating on Microsoft prospects.
In June, Microsoft additionally introduced that Outlook Internet and the brand new Outlook for Home windows will begin blocking .library-ms and .search-ms file sorts. These file sorts had been beforehand used in assaults concentrating on authorities entities and have been exploited in phishing and malware assaults since at the very least June 2022. The whole listing of blocked Outlook attachments is offered on Microsoft’s documentation web site.
Since 2018, Redmond has additionally expanded assist for its Antimalware Scan Interface (AMSI) to dam assaults utilizing Workplace VBA macros in Workplace 365 consumer apps, began blocking VBA Workplace macros by default, launched XLM macro safety, disabled Excel 4.0 (XLM) macros, and commenced blocking untrusted XLL add-ins by default throughout Microsoft 365 tenants.
In April 2025, it additionally disabled all ActiveX controls in Home windows variations of Microsoft 365 and Workplace 2024 apps, following its announcement in Might 2024 that it could deprecate VBScript within the second half of 2024.
Be part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from high specialists and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that may form the way forward for your safety technique
