Microsoft says Outlook for Net and the brand new Outlook for Home windows will now not show dangerous inline SVG photos which can be being utilized in assaults.
This variation started rolling out worldwide in early September 2025 and is predicted to be accomplished for all prospects by mid-October 2025.
Redmond added that this alteration will have an effect on lower than 0.1% of all photos despatched utilizing Outlook, so the precise affect after the rollout ends is predicted to be minimal.
“Inline SVG photos will now not be displayed in Outlook for Net or the brand new Outlook for Home windows. As an alternative, customers will see clean areas the place these photos would have appeared,” the corporate mentioned in a Microsoft 365 Message Middle replace on Tuesday.
“SVG photos despatched as traditional attachments will proceed to be supported and viewable from the attachment properly. This replace helps mitigate potential safety dangers, akin to cross-site scripting (XSS) assaults. “
Malicious actors have extensively used SVG (Scalable Vector Graphics) information over the previous few years to deploy malware and show phishing types. Cybersecurity firms have additionally reported a major improve in phishing assaults utilizing this explicit doc format, pushed by PhaaS platforms akin to Tycoon2FA, Mamba2FA, and Sneaky2FA.
For example, Trustwave reported in April that SVG-based assaults have pivoted towards phishing campaigns, seeing a staggering 1800% improve between early 2025 and April 2024.
The retirement of inline SVG photos in Microsoft Outlook is a part of a broader effort to take away or disable Workplace and Home windows options which were abused in assaults concentrating on Microsoft prospects.
In June, Microsoft additionally introduced that Outlook Net and the brand new Outlook for Home windows will begin blocking .library-ms and .search-ms file sorts. These file sorts had been beforehand used in assaults concentrating on authorities entities and have been exploited in phishing and malware assaults since a minimum of June 2022. The whole listing of blocked Outlook attachments is on the market on Microsoft’s documentation web site.
Since 2018, Redmond has additionally expanded assist for its Antimalware Scan Interface (AMSI) to dam assaults utilizing Workplace VBA macros in Workplace 365 shopper apps, began blocking VBA Workplace macros by default, launched XLM macro safety, disabled Excel 4.0 (XLM) macros, and commenced blocking untrusted XLL add-ins by default throughout Microsoft 365 tenants.
In April 2025, it additionally disabled all ActiveX controls in Home windows variations of Microsoft 365 and Workplace 2024 apps, following its announcement in Might 2024 that it will deprecate VBScript within the second half of 2024.
Be a part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from high consultants and see how AI-powered BAS is remodeling breach and assault simulation.
Do not miss the occasion that can form the way forward for your safety technique