Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest
  • Security & Privacy News

    Microsoft Outlook will no longer show inline SVG images regularly exploited in phishing attacks

    aum

    By aum,
    Published Date:

    • 459 views
    • 2 minutes
     Share
    • 459 views
    • 2 minutes

    User will just see blank spaces where these images would have been

     

    • Outlook stops showing inline SVG images to limit phishing and malware risks
    • Microsoft continues retiring risky features across Office and Windows platforms for protection
    • Company balances user impact with security, ensuring SVG attachments remain fully supported

     

    Malicious use of SVG files has become more and more common in recent years, with attackers relying on the format to deliver malware and build phishing pages.

     

    In response, Microsoft is changing how Outlook handles this type of content and will now prevent inline SVG images from appearing in Outlook for Web or in the new Outlook for Windows.

     

    In a Microsoft 365 Message Center update, the tech giant said, "Inline SVG images will no longer be displayed in Outlook for Web or the new Outlook for Windows. Instead, users will see blank spaces where these images would have appeared."

     

    A small impact

     

    Microsoft won't fully be blocking SVG files however.

     

    "SVG images sent as classic attachments will continue to be supported and viewable from the attachment well. This update helps mitigate potential security risks, such as cross-site scripting (XSS) attacks," the company added.

     

    Microsoft says fewer than 0.1% of images in Outlook use this method, so the impact on typical communication should be minor.

    The decision is part of Microsoft’s wider strategy to reduce the number of features that attackers can abuse.

     

    Over the past several years, the company has retired or restricted functions in both Office and Windows that have been used in phishing or malware campaigns.

     

    Earlier in 2025, Outlook Web and the Outlook for Windows began blocking .library-ms and .search-ms files which Bleeping Computer notes had had been exploited in attacks against government targets since at least 2022.

     

    Microsoft has also implemented protections against macros and add-ins in its productivity software. Changes include blocking VBA Office macros by default, adding protection for Excel 4.0 macros, disabling untrusted XLL add-ins and ActiveX controls in Microsoft 365 and Office 2024 apps, and removing support for VBScript.

     

    The full list of formats now blocked is available to view in Microsoft’s documentation here.

     

    Source

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...