Microsoft Outlook Blocks Inline SVG Images to Stop Phishing Attacks

Written By Frank Marano

Most cyberattacks still start with a phish 🎣—and Microsoft is taking another step to cut off one of the attackers’ favorite tricks.

Beginning in September 2025, Microsoft started rolling out a change to Outlook for Web and the new Outlook for Windows: the platforms will no longer display inline SVG (Scalable Vector Graphics) images. By mid‑October 2025, this rollout will be complete worldwide.

This update is more than cosmetic. It’s a direct response to the growing abuse of SVG files in phishing campaigns, where attackers use them to hide malicious code, deliver malware, or trick users into entering credentials.

Why SVG Files Became a Phishing Weapon

SVGs are popular because they’re lightweight, scalable, and widely used for logos, icons, and graphics. But unlike static image formats like PNG or JPG, SVGs are XML‑based text files attackers can embed JavaScript or malicious links inside them.

Security researchers have tracked a 245% increase in phishing campaigns using SVG attachments in early 2025 compared to late 2024. In some campaigns, SVGs accounted for nearly 30% of all malicious attachments.

Attackers love SVGs because:

  • They bypass traditional email filters that treat them as harmless images.

  • They can embed obfuscated code that only executes when opened in a browser.

  • They can redirect users to phishing sites disguised as Microsoft login pages or other trusted brands.

  • They’re often delivered through Phishing‑as‑a‑Service (PhaaS) platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA, making them easy to deploy at scale.

What Microsoft Changed in Outlook

With this update, inline SVG images will no longer render in Outlook for Web or the new Outlook for Windows. Instead, users will see a placeholder or blocked content message.

This change helps mitigate risks such as:

  • Cross‑Site Scripting (XSS) attacks triggered by malicious SVGs.

  • Credential harvesting via fake login forms embedded in SVGs.

  • Malware delivery hidden behind clickable transparent overlays.

It’s part of Microsoft’s broader effort to retire or disable features that attackers have historically abused, similar to the removal of macros in Office documents.

Why This Matters for Businesses

For organizations, this change is a win for security. By blocking inline SVGs, Microsoft is cutting off a growing attack vector before it becomes mainstream.

But businesses should still take proactive steps:

  • Educate employees that not all images are safe—phishing can hide in unexpected places.

  • Update security awareness training to include SVG‑based phishing tactics.

  • Review email security policies to ensure attachments and links are scanned beyond traditional file types.

  • Adopt layered defenses—don’t rely solely on Microsoft’s protections.

The Bigger Picture: Phishing Keeps Evolving

Phishing isn’t going away—it’s just evolving. Attackers constantly look for new ways to bypass filters and exploit user trust. First it was macros, then HTML smuggling, now SVGs. Tomorrow, it will be something else.

The lesson is clear: security is a moving target. Organizations need to stay agile, patch quickly, and continuously adapt defenses.

Actionable Security’s Take

At Actionable Security, we like to keep it simple: fewer sketchy fish in your inbox means more peace of mind for your users.

Microsoft’s move to block inline SVGs in Outlook is a smart step, but it’s not a silver bullet. If you want to make sure your business is protected against the next wave of phishing tricks, we can help you build defenses that go beyond the basics.

Because in cybersecurity, the only thing better than catching phish… is not letting them swim into your inbox in the first place.

#PhishAndChips #SVGonePhishing #OutlookOutsmarted #ClickLessStress

Frank Marano https://actionablesec.com
Next

OpenShift AI Flaw Exposes Hybrid Cloud Environments to Full Takeover