- Outlook stops displaying inline SVG photographs to restrict phishing and malware dangers
- Microsoft continues retiring dangerous options throughout Workplace and Home windows platforms for defense
- Firm balances person impression with safety, guaranteeing SVG attachments stay absolutely supported
Malicious use of SVG recordsdata has change into increasingly more frequent lately, with attackers counting on the format to ship malware and construct phishing pages.
In response, Microsoft is altering how Outlook handles one of these content material and can now forestall inline SVG photographs from showing in Outlook for Internet or within the new Outlook for Home windows.
In a Microsoft 365 Message Heart replace, the tech big mentioned, “Inline SVG photographs will not be displayed in Outlook for Internet or the brand new Outlook for Home windows. As an alternative, customers will see clean areas the place these photographs would have appeared.”
A small impression
Microsoft will not absolutely be blocking SVG recordsdata nonetheless.
“SVG photographs despatched as basic attachments will proceed to be supported and viewable from the attachment effectively. This replace helps mitigate potential safety dangers, akin to cross-site scripting (XSS) assaults,” the corporate added.
Microsoft says fewer than 0.1% of photographs in Outlook use this methodology, so the impression on typical communication ought to be minor.
The choice is a part of Microsoft’s wider technique to scale back the variety of options that attackers can abuse.
Over the previous a number of years, the corporate has retired or restricted capabilities in each Workplace and Home windows which were utilized in phishing or malware campaigns.
Earlier in 2025, Outlook Internet and the Outlook for Home windows started blocking .library-ms and .search-ms recordsdata which Bleeping Laptop notes had had been exploited in assaults in opposition to authorities targets since at the very least 2022.
Microsoft has additionally applied protections in opposition to macros and add-ins in its productiveness software program. Modifications embody blocking VBA Workplace macros by default, including safety for Excel 4.0 macros, disabling untrusted XLL add-ins and ActiveX controls in Microsoft 365 and Workplace 2024 apps, and eradicating help for VBScript.
The total checklist of codecs now blocked is out there to view in Microsoft’s documentation right here.
Observe TechRadar on Google Information and add us as a most popular supply to get our skilled information, opinions, and opinion in your feeds. Make sure that to click on the Observe button!
And naturally it’s also possible to observe TechRadar on TikTok for information, opinions, unboxings in video kind, and get common updates from us on WhatsApp too.
You may additionally like
