Microsoft Outlook to stop rendering SVG images as hackers exploit them

Microsoft announces that Outlook on the web and the new Outlook for Windows will no longer display embedded SVG images because they are being used in cyberattacks.

The rollout of the new security measure began in early September 2025 and is expected to be completed for all users by mid-October 2025.

The company notes that these changes will affect less than 0.1% of all images sent via Outlook, so the actual impact on users after the rollout is complete should be minimal.

“Embedded SVG images will no longer be displayed in the web version of Outlook and the new Outlook for Windows. Instead, users will see empty placeholders where these images should have appeared,” the company said. “SVG images sent as regular attachments will still be supported and displayed via the attachment pane. This update is intended to reduce potential security risks, such as cross-site scripting (XSS) attacks.”

In recent years, attackers have indeed actively used SVG (Scalable Vector Graphics) files to spread malware and display phishing forms.

For instance, at the end of 2024, infosec specialists warned that attackers were increasingly attaching SVG-format files to their emails, helping them evade detection. In April 2025, Trustwave experts reported that attacks using SVG had shifted toward phishing campaigns and showed a 1,800% increase since April 2024.

Finally, just recently, at the end of September 2025, Microsoft uncovered a malicious campaign that used SVG files generated with an LLM to evade email security.

Stopping the display of embedded SVG images in Microsoft Outlook is part of a broader strategy to remove or disable Office and Windows features that attackers exploit in attacks against users of Microsoft products.

For example, in June of this year Microsoft announced that the web version of Outlook and the new Outlook for Windows will block files with the .library-ms and .search-ms. extensions. These file types were previously used in attacks against government organizations and exploited in malicious campaigns since at least June 2022.

The full list of Outlook blocked attachments is available on the Microsoft website.

25.04.2025 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

30.04.2025 — Coinbase fixes 2FA bug that made customers panic

09.02.2025 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

10.04.2025 — April updates released by Microsoft cause issues with Windows Hello

30.01.2025 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

01.02.2025 — Critical RCE vulnerability fixed in Cacti

23.01.2025 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

18.03.2025 — Black Basta ransomware group developed its own automated brute-forcing framework

25.02.2025 — More than 100,000 users downloaded SpyLend malware from Google Play Store

07.02.2025 — 768 vulnerabilities were exploited by hackers in 2024

21.02.2023 — SIGMAlarity jump. How to use Sigma rules in Timesketch

04.04.2022 — Fastest shot. Optimizing Blind SQL injection

20.04.2023 — Sad Guard. Identifying and exploiting vulnerability in AdGuard driver for Windows

07.07.2023 — Evil Ethernet. BadUSB-ETH attack in detail

12.02.2023 — Gateway Bleeding. Pentesting FHRP systems and hijacking network traffic

15.02.2022 — First contact: How hackers steal money from bank cards

15.02.2022 — EVE-NG: Building a cyberpolygon for hacking experiments

13.02.2023 — Ethernet Abyss. Network pentesting at the data link layer

21.02.2023 — Herpaderping and Ghosting. Two new ways to hide processes from antiviruses

22.01.2023 — Top 5 Ways to Use a VPN for Enhanced Online Privacy and Security

25.04.2025 —
Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

30.04.2025 —
Coinbase fixes 2FA bug that made customers panic

09.02.2025 —
Abandoned AWS S3 buckets could be used in attacks targeting supply chains

10.04.2025 —
April updates released by Microsoft cause issues with Windows Hello

30.01.2025 —
Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

01.02.2025 —
Critical RCE vulnerability fixed in Cacti

23.01.2025 —
Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

18.03.2025 —
Black Basta ransomware group developed its own automated brute-forcing framework

25.02.2025 —
More than 100,000 users downloaded SpyLend malware from Google Play Store

07.02.2025 —
768 vulnerabilities were exploited by hackers in 2024

21.02.2023 —
SIGMAlarity jump. How to use Sigma rules in Timesketch

04.04.2022 —
Fastest shot. Optimizing Blind SQL injection

20.04.2023 —
Sad Guard. Identifying and exploiting vulnerability in AdGuard driver for Windows

07.07.2023 —
Evil Ethernet. BadUSB-ETH attack in detail

12.02.2023 —
Gateway Bleeding. Pentesting FHRP systems and hijacking network traffic

15.02.2022 —
First contact: How hackers steal money from bank cards

15.02.2022 —
EVE-NG: Building a cyberpolygon for hacking experiments

13.02.2023 —
Ethernet Abyss. Network pentesting at the data link layer

21.02.2023 —
Herpaderping and Ghosting. Two new ways to hide processes from antiviruses

22.01.2023 —
Top 5 Ways to Use a VPN for Enhanced Online Privacy and Security