Microsoft Outlook Will Stop Displaying SVG Images Because Hackers Are Using Them

Microsoft announced that both the web version of Outlook and the new Outlook for Windows will no longer display embedded SVG images due to their increasing use in hacker attacks.

The rollout of this new protective measure began in early September 2025 and is expected to be completed for all users by mid-October 2025.

According to Microsoft, the change will affect less than 0.1% of all images sent through Outlook, meaning the overall impact on users should be minimal once deployment is complete.

“Embedded SVG images will no longer be displayed in the web version of Outlook and the new Outlook for Windows. Instead, users will see blank spaces where these images would normally appear,” the company stated. “SVG images sent as regular attachments will remain supported and can still be viewed through the attachments panel. This update is designed to reduce potential security risks, such as cross-site scripting (XSS) attacks.”

Why Microsoft Is Doing This

Over the past few years, malicious actors have increasingly weaponized SVG (Scalable Vector Graphics) files to distribute malware or create phishing forms that evade standard email security checks.

For example:

• In late 2024, cybersecurity researchers warned that attackers were attaching SVG files to emails to bypass detection systems.
• In April 2025, Trustwave experts reported a dramatic 1,800% increase in SVG-based phishing campaigns compared to April 2024.
• And most recently, in September 2025, Microsoft uncovered a campaign using LLM-generated SVG files that successfully bypassed traditional email protection mechanisms.

These incidents show that the flexibility of SVGs—once valued for crisp, scalable graphics—has become a security liability in email environments.

A Broader Security Strategy

The move to block embedded SVGs is part of Microsoft’s ongoing strategy to eliminate or disable Office and Windows features frequently exploited in cyberattacks.

For instance, in June 2025, the company announced that Outlook would also block files with the .library-ms and .search-ms extensions. These file types have been abused in targeted attacks against government and corporate organizations since at least mid-2022.

Microsoft’s security roadmap increasingly focuses on reducing the attack surface by disabling legacy or high-risk file types that serve little legitimate purpose in modern workflows.

A full list of blocked Outlook attachments is available on Microsoft’s official website.

Summary

Microsoft’s decision to block embedded SVG images in Outlook marks another step in its effort to harden email security. While the change may slightly affect email aesthetics, it significantly reduces opportunities for phishing and malware delivery—an acceptable trade-off in the current threat landscape.