Microsoft says that the new outlook for the web for the web and Windows will no longer display risky inline SVG images that are being used in attacks.
The change began worldwide in early September 2025 and is expected to be completed by all customers by mid -October 2025.
Redmund said that this change would affect less than 0.1% of all images sent using Outlook, so the actual impact is expected to be minimal after the end of the rollout.
“Inline SVG images will no longer be displayed in the new outlook for the web or the new outlook for Windows. Instead, users will see empty spaces where these pictures will see,” the company Said Microsoft 365 Message Center on Tuesday.
“SVG images sent as classic attachment will continue well supportable and viewable. This update helps reduce possible security risks, such as cross-site scripting (XSS) attacks.”
Malibly actors have used large -scale SVG (scalable vector graphics) files over the last few years to deploy malware and display fishing forms. Cyber security companies have reported a significant increase in fishing attacks using this special document format, which is operated by PHAAS platforms such as Tycoon2FA, Mamba2FA and Sneaky2FA.
For example, Trustwave Informed in April SVG-based attacks have moved to fishing operations, given the growth of 1800% in 2025 and early April 2024.
The retirement of inline SVG images in Microsoft Outlook is part of a comprehensive effort to remove or disable the office and disable the office -abusing office and Windows features.
In June, Microsoft also announced that Outlook would begin to block new outlooks for Web and Windows. These file types were previously used in target attacks of government institutions and have been exploited in fishing and malware attacks since at least June 2022. Full list of blocked outlook attachment is available Microsoft’s Documents website,
Since 2018, Redmund has expanded support for its AntiMware Scan Interface (AMSI) to block attacks using office VBA macros in Office 365 client apps, began to block VBA Office Macrose by default, started blocking Macro Protection, incomplete Excel 4.0 The default began blocking XLL add-ins by default.
In April 2025, it also disabled all activex controls in Windows versions of Microsoft 365 and Office 2024 apps, after its announcement in May 2024 that it would remove VBSCRIPT in the second half of 2024.
attend Violation and attack simulation summit And experience Future of security verificationListen to top experts and see how AI-managed base Breach is changing and attacking simulation.
Do not remember the event that will shape the future of your safety strategy
