Microsoft Outlook Disables Inline SVG Images to Mitigate Security Risks

First reported

02.10.2025 21:13

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Microsoft has begun rolling out an update to Outlook for Web and the new Outlook for Windows to stop displaying inline SVG images. This change aims to mitigate potential security risks, such as cross-site scripting (XSS) attacks, and is expected to be completed by mid-October 2025. The update affects less than 0.1% of all images sent via Outlook, with minimal expected impact. SVG images sent as classic attachments will remain supported and viewable. This move is part of a broader effort to remove or disable features in Office and Windows that have been exploited in attacks targeting Microsoft customers.

Timeline

02.10.2025 21:13 1 articles · 7h ago

Microsoft Outlook Disables Inline SVG Images to Mitigate Security Risks
Microsoft has started rolling out an update to Outlook for Web and the new Outlook for Windows to stop displaying inline SVG images. This change, aimed at mitigating potential security risks such as cross-site scripting (XSS) attacks, began in early September 2025 and is expected to be completed by mid-October 2025. The update affects less than 0.1% of all images sent via Outlook, with minimal expected impact. SVG images sent as classic attachments will remain supported and viewable. This move is part of a broader effort to disable features in Office and Windows that have been exploited in attacks.
Show sources

Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13
Open in new tab

Information Snippets

Inline SVG images will no longer be displayed in Outlook for Web or the new Outlook for Windows.
First reported: 02.10.2025 21:13

1 source, 1 article
Show sources
- Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13
The rollout began in early September 2025 and is expected to be completed by mid-October 2025.
First reported: 02.10.2025 21:13

1 source, 1 article
Show sources
- Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13
SVG images sent as classic attachments will continue to be supported and viewable.
First reported: 02.10.2025 21:13

1 source, 1 article
Show sources
- Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13
The change aims to mitigate potential security risks, such as cross-site scripting (XSS) attacks.
First reported: 02.10.2025 21:13

1 source, 1 article
Show sources
- Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13
Malicious actors have used SVG files to deploy malware and display phishing forms.
First reported: 02.10.2025 21:13

1 source, 1 article
Show sources
- Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13
Phishing attacks using SVG files have increased significantly, driven by PhaaS platforms.
First reported: 02.10.2025 21:13

1 source, 1 article
Show sources
- Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13
Microsoft has also blocked .library-ms and .search-ms file types in Outlook Web and the new Outlook for Windows.
First reported: 02.10.2025 21:13

1 source, 1 article
Show sources
- Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13
Microsoft has expanded support for its Antimalware Scan Interface (AMSI) to block attacks using Office VBA macros.
First reported: 02.10.2025 21:13

1 source, 1 article
Show sources
- Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com — 02.10.2025 21:13