Connect with us

News

Microsoft Blocks Risky SVG Images in Outlook to Stop Attacks

Published

3 days ago

on

Microsoft is taking a major step to block cybercriminals from exploiting Outlook, moving to stop inline SVG images from showing in Outlook for Web and the new Outlook for Windows.

Outlook to Block Inline SVG Images Globally

Starting in early September 2025, Microsoft began rolling out a change that removes inline SVG (Scalable Vector Graphics) images from Outlook. The rollout is expected to reach all customers by mid-October.

This means users will no longer see inline SVG images inside their emails. Instead, blank spaces will appear where the images used to be.

The company stressed that the impact will be very small, affecting less than 0.1% of all images sent through Outlook. Traditional SVG attachments, sent as files rather than inline content, will still be supported and viewable from the attachment section.

Microsoft explained that the decision is part of its effort to strengthen protections against phishing and malware campaigns that have increasingly relied on SVG files.

Microsoft blocks

Why SVG Images Are Being Exploited

SVG files are not just simple image files. Unlike common image formats such as PNG or JPEG, SVG is a vector format that can include scripts and interactive elements. Attackers have long taken advantage of this flexibility to hide malicious code.

Over the last two years, cybersecurity companies have tracked an alarming rise in phishing campaigns abusing SVGs. For example, in April 2025, Trustwave reported a 1,800% increase in SVG-based phishing attacks compared to the previous year.

These files have been especially popular with phishing-as-a-service (PhaaS) platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA, which sell ready-made phishing tools to cybercriminals. By embedding scripts into SVGs, attackers can deliver fake login pages or trigger malware downloads directly inside an email.

A Broader Microsoft Push Against File-Based Threats

The decision to stop inline SVGs is not an isolated move. Microsoft has been gradually closing off multiple attack routes that rely on risky file types and old scripting technologies.

Here are some of the recent actions taken:

  • June 2025: Outlook began blocking .library-ms and .search-ms files, which attackers had been using since at least 2022 to target government and enterprise networks.

  • April 2025: Microsoft disabled all ActiveX controls in Office 2024 and Microsoft 365 apps for Windows, cutting off another popular path for malware delivery.

  • Since 2018: The company expanded its Antimalware Scan Interface (AMSI) to cover Office macros, blocked VBA macros by default, introduced protection for legacy Excel 4.0 macros, and restricted untrusted XLL add-ins across Microsoft 365 tenants.

  • 2024: Microsoft officially began deprecating VBScript, a scripting language that had been heavily abused in malware campaigns.

This tightening of controls reflects Microsoft’s recognition that attackers often reuse older features and file types in creative ways, making them long-term risks if left enabled.

Impact on Users and Businesses

For most Outlook users, the change will barely be noticeable. Microsoft estimated that inline SVGs make up less than 0.1% of images sent across its platforms.

Still, businesses that rely on SVGs for marketing or branding inside emails may need to adapt. These companies will need to send SVG files as traditional attachments rather than embedding them directly into the message body.

For users, the security benefits are clear. By removing the ability to load scripts hidden in SVG files, Microsoft is cutting off one of the most effective tricks cybercriminals use to bypass filters.

Some security analysts argue this move is overdue, given the sheer scale of phishing campaigns built on SVG exploitation in recent years. Yet others see it as a sign that Microsoft is more aggressively prioritizing security over backward compatibility and user convenience.

The Bigger Picture in Email Security

Email remains the most common way attackers breach organizations, with over 90% of successful cyberattacks starting with a phishing message, according to industry studies.

The removal of inline SVGs fits into a growing trend of email providers tightening controls around what content can be displayed inside messages. By stripping risky features, companies reduce the chances of malicious code slipping past filters.

For users, this underscores the importance of being cautious with email attachments and embedded content, even from known senders. Visual elements in emails are often trusted without question, but as this change shows, even images can carry hidden threats.

In many ways, Microsoft’s latest action reflects the growing reality of cybersecurity: features that were once seen as useful or innovative can quickly become dangerous when turned into attack tools.

Microsoft’s decision to block inline SVG images in Outlook highlights how email platforms must adapt to evolving threats. While the change may be minor in terms of user impact, it represents a significant win for security. As attackers continue to exploit the smallest gaps in widely used tools, such proactive measures may make the difference in preventing large-scale breaches. Do you think this move will make Outlook safer or simply push attackers toward other tricks? Share your thoughts with friends on social media.

Related Topics:

Leela Sehgal is an Indian author who works at ketion.com. She writes short and meaningful articles on various topics, such as culture, politics, health, and more. She is also a feminist who explores the issues of identity and empowerment in her works. She is a talented and versatile writer who delivers quality and diverse content to her readers.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

TRENDING