Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft Outlook blocks inline SVG rendering to reduce XSS and phishing abuse

Security Tool/Service
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

Microsoft is blocking inline SVG images in Outlook for Web and the new Outlook for Windows, reducing exposure to SVG-based phishing and cross-site scripting (XSS) abuse. The rollout began in early September 2025 and is expected to finish by mid-October 2025. Users will see blank spaces where inline SVG content would have appeared, while classic SVG attachments remain viewable. Microsoft says the change should affect less than 0.1% of images sent through Outlook.

Related Happenings

Microsoft Exchange CVE-2026-42897 mitigation advisory

Advisory/Mitigation
First: 15.05.2026 12:40 Last: 15.05.2026 12:40 Sources 1

About this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...

Latest development: 15.05.2026 15:35

Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.

Open Happening

Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)

Vulnerability
First: 15.05.2026 09:19 Last: 15.05.2026 09:19 Sources 1

About this happening: **CVE-2026-42897** is an **actively exploited** **spoofing/XSS** flaw in **on-premises Microsoft Exchange Server** that can let attackers trigger **arbitrary JavaScript** in a bro...

Open Happening

Microsoft May 2026 Patch Tuesday (120 flaws)

Security Patch Release
First: 12.05.2026 21:08 Last: 12.05.2026 21:08 Sources 1

About this happening: **Microsoft** released its **May 2026 Patch Tuesday** updates, fixing **120 flaws** and disclosing **no zero-days**. The bundle includes **17 Critical** vulnerabilities, with mult...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

Microsoft Outlook.com outage causing sign-in failures

Service Disruption
First: 27.04.2026 15:03 Last: 27.04.2026 15:03 Sources 1

About this happening: Microsoft's **Outlook.com** is experiencing an **ongoing outage** that is blocking sign-ins and mailbox access, leaving some customers unable to use email normally. The disruption...

Open Happening

Timeline

  1. 02.10.2025 21:13 2 articles · 7mo ago

    Microsoft blocks inline SVG rendering in Outlook

    Mitigation Patch Update

    Microsoft is rolling out a change in Outlook for Web and the new Outlook for Windows that stops displaying risky inline SVG images used in attacks, replacing them with blank spaces while keeping SVG images sent as classic attachments viewable from the attachment well. Microsoft says the change helps mitigate potential security risks such as cross-site scripting (XSS), began rolling out worldwide in early September 2025, is expected to be completed for all customers by mid-October 2025, and should affect less than 0.1% of all images sent using Outlook.

    Show sources
    Open in new tab